House Hearing, 107TH Congress - ''How Do Businesses Use Customer Information: Is The Customer's Privacy Protected?''

HOW DO BUSINESSES USE CUSTOMER INFORMA-
TION: IS THE CUSTOMERS PRIVACY PRO-

TECTED?
HEARING
BEFORE THE
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
OF THE
COMMITTEE ON ENERGY AND

COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
JULY 26, 2001
Serial No. 10749
Printed for the use of the Committee on Energy and Commerce
(
Available via the World Wide Web: http://www.access.gpo.gov/congress/house
U.S. GOVERNMENT PRINTING OFFICE

74846CC WASHINGTON : 2001
For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov Phone: toll free (866) 5121800; DC area (202) 5121800
Fax: (202) 5122250 Mail: Stop SSOP, Washington, DC 204020001
VerDate 11-MAY-2000 10:19 Dec 03, 2001 Jkt 010199 PO 00000 Frm 00001 Fmt 5011 Sfmt 5011 E:\HEARINGS\74846 pfrm01 PsN: 74846
COMMITTEE ON ENERGY AND COMMERCE
W.J. BILLY TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES CHIP PICKERING, Mississippi KAREN MCCARTHY, Missouri
VITO FOSSELLA, New York TED STRICKLAND, Ohio
ROY BLUNT, Missouri DIANA DEGETTE, Colorado
TOM DAVIS, Virginia THOMAS M. BARRETT, Wisconsin
ED BRYANT, Tennessee BILL LUTHER, Minnesota
ROBERT L. EHRLICH, Jr., Maryland LOIS CAPPS, California
STEVE BUYER, Indiana MICHAEL F. DOYLE, Pennsylvania
GEORGE RADANOVICH, California CHRISTOPHER JOHN, Louisiana
CHARLES F. BASS, New Hampshire JANE HARMAN, California
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
DAVID V. MARVENTANO, Staff Director
JAMES D. BARNETTE, General Counsel
REID P.F. STUNTZ, Minority Staff Director and Chief Counsel
SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION

CLIFF STEARNS, Florida, Chairman
NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York
Vice Chairman DIANA DEGETTE, Colorado
ED WHITFIELD, Kentucky LOIS CAPPS, California
BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona JANE HARMAN, California
ED BRYANT, Tennessee HENRY A. WAXMAN, California
STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon ANNA G. ESHOO, California
LEE TERRY, Nebraska JOHN D. DINGELL, Michigan,
W.J. BILLY TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(II)
CONTENTS
Page
Testimony of:
Barrett, Jennifer T., Chief Privacy Officer, Acxiom ...................................... 49
Ford, John A., Chief Privacy Officer, Equifax, Inc ........................................ 58
Hourigan, Jacqueline L., Director, Corporation Data Policies, General
Motors Corporation ....................................................................................... 12
Johnson, David A., Vice President, Direct Marketing, Lands End, Inc ...... 23
Misener, Paul, Vice President, Global Public Policy, Amazon.com .............. 18
Pearson, Harriet P., Chief Privacy Officer, IBM ............................................ 7
Swift, Zeke, Director, Global Privacy, Procter & Gamble ............................. 15
Zuccarini, Deborah, Executive Vice President and Chief Marketing Offi-
cer, Experian Marketing Solutions .............................................................. 65
(III)
HOW DO BUSINESSES USE CUSTOMER IN-
FORMATION: IS THE CUSTOMERS PRIVACY
PROTECTED?
THURSDAY, JULY 26, 2001
U.S. HOUSE OF REPRESENTATIVES,

COMMITTEE ON ENERGY AND COMMERCE,
SUBCOMMITTEE ON COMMERCE, TRADE,
AND CONSUMER PROTECTION,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:35 a.m., in room
2322, Rayburn House Office Building, Hon. Cliff Stearns (chair-
man) presiding.
Members present: Representatives Stearns, Shimkus, Bryant,
Walden, Terry, Bass, Tauzin (ex officio), Towns, DeGette, Doyle,
John, and Harman.
Staff present: Ramsen Betfarhad, majority counsel; Michael
OReilly, professional staff member; Brendan Williams, legislative
clerk; and M. Bruce Gwinn, minority counsel.
Mr. STEARNS. Good morning, good morning. I welcome all of you
here. This is the sixth and last in a series of hearings on informa-
tion privacy held by our Subcommittee on Commerce, Trade, and
Consumer Protection. This hearing concludes one phase of the sub-
committees inquiry into information privacy, but not the inquiry
itself.
I think these hearings have fulfilled their objective of informing
members and the public at large, in a deliberate and careful man-
ner, of the many issues implicated by the privacy debate. The col-
lective record of the six hearings is a rich resource of information
and opinion on the issue of information privacy, and should be used
to inform all of us on the debate on this issue.
I commend members of the committee to review the hearings
that we have had, the record that has been amassed by this sub-
committee on this important issue of information privacy, before
they seek to formulate or finalize their judgments on this matter.
In no other location, either within or without the Hill, will we find
a more comprehensive record on information privacy.
I am especially pleased to have as witnesses executives that rep-
resent some of the most revered companies in corporate America.
We all are or have been, at one time or another, customers of Gen-
eral Motors, IBM, Proctor & Gamble, Amazon.com, and Lands
End. I appreciate the fact that these companies didnt have to be
here testifying on the difficult public policy matter of information
(1)
2
privacy. So I recommendI commend all of them for their partici-

pation and wish to thank them for coming.
Many have written on or spoken to the issue of information pri-
vacy in the commercial world, as if the issue existed in a vacuum.
That is to say, some commentators on information privacy speak
with little or no consideration of the realities that characterize the
intersection between privacy and the commercial world. Today, we
have the rare opportunity to ask these large transnational corpora-
tions, representing differing industries, and the three top com-
pilers, what really transpires in the real world with respect to con-
sumer information.
The witnesses on the first panel represent a diverse group of
companies, ranging from the worlds largest industrial corporation
with 400,000 employees, to one that markets 300 brands of con-
sumer products to nearly 5 billion customerslet me repeat, 5 bil-
lion customersworldwide, and an online company that in less
than 6 years has become one of the most recognized brands in re-
tailing. These companies will all speak to how they collect customer
information; what types of information they collect; what uses they
put that collected information to; why they use the information in
the way that they do; and what business or legal incentives are in
place assuring the proper utilization of that consumer information.
Moreover, the witnesses on the second panel, representing data
compilers, will help us better understand what it is that they do.
We may know the most about the credit reporting services. We
have, all of us, invariably been subjected to credit checks in the
course of our ordinary lives, when applying for a car loan, a mort-
gage, credit cards, et cetera. Yet many of us may not know that
these three companies provide authentication and verification serv-
ices enabling the seamless and speedy execution of millions of
small and mundane transactions every day, such as the purchase
of a CD online from Amazon.com or off-line from Tower Records.
The insight offered by our witnesses is especially important when
considering the fine balance present between the proper and im-
proper collection and use of consumer data. As these hearings have
established, there are substantial benefits that accrue to our econ-
omy from the unencumbered flow of information, particularly con-
sumer information. Meanwhile, these same hearings have high-
lighted the fact that Americans do have concerns regarding abuses
that may arise from the collection and/or use of certain types of
consumer information in the commercial context.
The objective today, in this hearing, is to demystifymake con-
cretedata collection and use practices common in the commercial
world today. To put it more bluntly, the testimony, I hope, will help
separate fact from fiction, reality from myth, when it comes to the
issue of information privacy. Only when empowered with real facts
can Congress advance good public policy addressing information
privacy.
So, Mr. John, you are welcome with an opening statement.
Mr. JOHN. Yes, thank you, Chairman Stearns. My friend and col-
league, the ranking member from New York, is tied up at this mo-
ment in another subcommittee, on Commerce and Health. And I
temporarily will try to fill his large shoes. Me being from Louisiana
3
and him from New York, those are very big and different shoes to
fill.
But I ask unanimous consent that all members be permitted to
include their statements into the record.
Mr. STEARNS. By unanimous consent, so ordered.
Mr. JOHN. Thank you.
I am sure that the panelists are ready to get started. I want to
thank them and welcome them, the first panel and also the second
panel, and express my really sincere thanks to Chairman Stearns
for having a seriesthe sixth, as he saidon issues that are very
important on information privacy.
I also believe that these hearings have been useful, and helpful,
and they have meant a lot because of the issues that are con-
fronting businesses, regulators, and consumers. And I really look
forward to hearing from the folks that deal with this issue every
day, and working with the chairman and the ranking member as
we move through this process legislatively.
So, welcome. And I look forward to hearing your testimony.
Thanks.
Mr. STEARNS. I thank the gentleman. The gentleman from Illi-
nois, Mr. Shimkus?
Mr. SHIMKUS. Thank you, Mr. Chairman. I, too, want to welcome
the panel. I would have walked over and introduce myself; I was
here early. But I have an athletic injury, that I am doing as little
walking as possible. But we do appreciate your attendance.
We have dealt with, are trying to understand this from the pub-
lic policy position. Of course, many of us were with the Commerce
Committee when we passed Graham-Leach-Bliley. But statements
have constantly been made in this committee that we want to get
a handle on how privacy is good for businessobviously, that is
what we hope to hear from you all todayand how you go about
doing that.
In the financial services arena, there is some argument about
how sharing of information within a designed arena is actually
good for some consumers, too. And that may not be true in your
business. So that is why this panel is unique in some of the discus-
sions we have had. I look to focus on that area. I appreciate your
expertise and your willingness to come before us.
And with that, Mr. Chairman, I yield back my time.
Mr. STEARNS. The gentleman yields back. Mr. Doyle, the gen-
tleman from Pennsylvania?
Mr. DOYLE. Thank you, Mr. Chairman. I just want to welcome
our panelists this morning. I think were all anxious to hear what
they have to say. And I will ask unanimous consent that my state-
ment may be made part of the record, so that we can hear our pan-
elists. And I yield back.
[The prepared statement of Hon. Mike Doyle follows:]
PREPARED STATEMENT OF HON. MIKE DOYLE, A REPRESENTATIVE IN CONGRESS FROM
THE STATE OF PENNSYLVANIA
Thank you Mr. Chairman and Ranking Member, for holding this hearing. I am
looking forward to learning about the technologies, policies, and approaches that
some of the leaders in the electronic commerce industry have employed to prevent
unwanted dissemination and use of our private consumer information. Thank you
all for taking the time testify this morning.
4
As the discussions regarding individual consumer privacy progress in America
and before this subcommittee, I know think many of my constituents back in the
Pittsburgh area are not just asking how do business use my information but they
are saying, wait a minute, you mean businesses have been gathering my personal
information all along?
I often find that consumers in Western Pennsylvania seem to have no problem
allowing certain personal information to be collected and used by industry. For ex-
ample, the regional supermarket, Giant Eagle, asks for certain access to personal
shopping information through the use of the Giant Eagle Advantage Card. I myself
use such a card.
It provides incentives that members undoubtedly find useful, such as discount
coupons through the mail for items that a customer routinely purchases. Obviously,
this is an example of personal information use that both client and consumer find
beneficial and acceptable.
Protecting this type of personal information, while important, is decidedly dif-
ferent than protecting against abuses associated Social Security numbers, birth
dates, mothers maiden names, or health records. It is the extent to which this per-
sonally identifiable information is collected, used, and distributed that pose the
greatest threat to true privacy and create the need for Congress to find a solution
to protect consumers.
The industries represented this morning by our esteemed panelists are some of
the most successful and profitable companies in America. I am anxious to hear of
the problems associated with implementing their effective self-regulatory policies,
for if our Fortune 100 companies have difficulty funding privacy protection policies,
surely our smaller firms or medium size companies will have greater problems gen-
erating the necessary capital and resources.
In closing, Mr. Chairman, I look forward to finding a way that Congress can aug-
ment and aid effective industry self-regulation in a manner that will not impede the
continued development of e-commerce, while protecting and ensuring consumer
rights are upheld.
Mr. STEARNS. The gentleman yields back. His opening statement
will be made a part of the record.
And the gentleman from New Hampshire, Mr. Bass?
Mr. BASS. Thank you very much, Mr. Chairman. And I, too, join
my colleagues in thanking you for having this final hearing. It has
been a fascinating series of hearings. I have learned more, I
thinklearned a lot more than I have been able to impart to other
folks about this issue, which is extremely complex.
And I hope that we will be able to clear up some of the mis-
conceptions that may exist about corporate or business use of per-
sonal information vis-a-vis Internet transactions. And I also hope,
Mr. Chairman, that as we listen to these witnesses, we try to sepa-
rate what may already be illegal anyway under existing law from
what may need to be attended to by the Congress.
And we may not need to do anything. But again, I think it is im-
portant that this committee fully and thoroughly investigate the
issue so that we understand, so that we understand its complexity
and scope, so that as the Internet becomes more and more signifi-
cant in the economynot that it isnt alreadythat we will be in
a position to deal with it from a position of strength, rather than
ignorance.
And I appreciate the chairman holding these hearings.
Mr. STEARNS. I thank the gentleman.
[Additional statements submitted for the record follow:]
PREPARED STATEMENT OF HON. W.J. BILLY TAUZIN, CHAIRMAN, COMMITTEE ON
ENERGY AND COMMERCE
Thank you, Mr. Chairman for calling this hearing. I understand that this will con-
clude the series of education hearings you have held on privacy, so I also want to
commend you for developing a process that allows us to consider this issue in a
thoughtful and deliberative manner.
5
The topic of todays hearing is very important in the overall privacy debate. Too
often in Washington we are told how it works in the real world through the eyes
of Washington-based trade associations, lobbyists and consumer groups. Todays wit-
nesses will provide a different perspectivefrom the real world. I appreciate their
willingness to come forward and share their knowledge and experience.
As Chairman of the Committee, and as a consumer, I have heard and seen a great
deal of activity by American companies. Let me sum up what they tell me: they like
to exploit consumers for all their worth, they know consumers dont care about prod-
uct quality, they dont try to maintain good customer relations, they can always find
new customers to replace dissatisfied customers, they dont think that their brand
name is that important, and they dont care about consumer privacy. I joke for pur-
poses of making a pointCompanies Do Care About Consumer Relations. The litany
of untruths I just rattled off is completely opposite from what I have experienced
from American business.
In our market economy, competition compels companies to strive to meet con-
sumer needs. If a company doesnt do what customers want, theyll go elsewhere.
People sometimes seem to forget this. Yet, it is a fundamental fact of commerce that
service to the consumer is the cornerstone of a successful company.
Privacy is becoming a factor that consumers take into account as they shop. It
may not be the primary concern, but it is a factor. Many companies have recognized
this and have responded in kind with improved privacy practices. In fact, many of
the privacy requirements that some want mandated by Washington are already
being implemented by reputable companies. It is simply sound business practice to
do so.
Some companies even use their privacy practices to gain competitive marketing
advantage over competitors. IBM, for instance, recently plastered a picture of their
privacy guru, who is here with us today, in countless advertisements. Obviously,
they see a positive side to the privacy debate.
So, it is instructive to examine just how real companies are dealing with privacy
in the real world. We need to learn how established leaders in the American econ-
omy (and often the trend-setters) collect customer information, what the information
is used for, and how companies handle consumer privacy. I hope the panelists will
enlighten us on these points.
I also hope that this hearing will help debunk the scary scenarios that have been
created to stir up consumer angst. Over the past few years, we have heard a lot
of crazy stories about how consumer information is used. Many of these stories have
proved to be false.
Furthermore, I am pleased to see a discussion of the practices of the so-called
data aggregators. Most people have had experience with the credit ratings services
of some of these companies, but they often offer many other services. It is important
to demystify just how they operate and what they do.
I note that one of the benefits of data aggregators is of direct benefit to consumer
needsthe reduction of junk mail. If you have ever received a catalog addressed to
you that you have completely no interest in then you know firsthand the results of
poor information. The accurate information provided by aggregators helps compa-
nies offer consumers the products and services they will find useful. Of course,
many people have questioned the privacy practices of data aggregators and so here
is a chance to set the record straight.
Going forward, one thing should be clear: I dont see a need to legislate on false
scenarios. We cannot and will not design some elaborate new privacy regime that
will take into account every possible daydream of how information could be used.
Reality must be taken into account. We will look to all parties to keep this in mind
as we proceed in this debate.
I thank the Chairman and appreciate his indulgence.
PREPARED STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN CONGRESS

FROM THE STATE OF NEW YORK
Thank you Mr. Chairman and I too would like to welcome the witnesses to our
sixth hearing on Privacy.
Nearly every company across the country compiles information on the consumers
who use their products and some companies compile the data to sell to other cor-
porations. I am interested to hear what the companies assembled here today have
to say regarding their handling of personal information.
Consumers across the country are literally begging to be informed on how their
information is collected, used and PROTECTED. And that is assuming they realize
who is collecting the information.
6
It is my hope today that the witnesses will shed light on not only their practices
on HOW they collect information, but what they do with it after they get that infor-
mation.
I would like to commend the witnesses today. They have chosen to step forward
and educate members of the committee on this topic. You all have invested in mak-
ing consumers privacy a priority.
This brings me to the main reason I am advocating some sort of minimum privacy
standards. Not all companies are doing what Fortune 100 companies do. Not all of
them take their customers as seriously as do others.
As I weigh this issue over the August recess and decide what type of privacy bill
to submit, consumer and corporate responsibility will serve as my compass and I
look forward to reviewing the testimony of past witnesses and hearing the testimony
of those assembled here today.
Mr. Chairman, with that I yield back the balance of my time.
PREPARED STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN CONGRESS

FROM THE STATE OF MICHIGAN
Mr. Chairman, I want to thank you for holding this important hearing. Privacy
has been a major consumer concern for a long time, and that concern has increased
greatly with the advent of the internet and e-commerce. In fact, market researchers
estimated last year that consumer concerns about privacy and security caused e-re-
tailers to lose $6.1 billion in sales worldwide. Clearly, business is paying a big price
for the concerns consumers continue to have about online transactions.
For some online businesses, strong privacy protections have become the key to
greater competitiveness in the marketplace. Many firms now highly publicize their
privacy policies as they vie with each other to see who can give consumers the great-
er comfort and security about online retailing. Today we will hear from several large
businesses that have heard and responded to the privacy concerns of consumers.
While I compliment these companies for their initiative and responsibility, I
would caution my colleagues against drawing any conclusion that what these firms
have done is representative of all business. It is not. And it is because it is not that
the Federal Trade Commission (FTC) has recommended that Congress pass online
privacy legislation.
The FTC reported to Congress last year, and I quote, only 20% of the busiest
sites on the World Wide Web implement to some extent all four fair information
practices in the privacy disclosures. The FTC goes on to say, Moreover, the en-
forcement mechanism so crucial to the success and credibility of self-regulation is
absent.
Mr. Chairman, a privacy right that is not enforceable is not worth the paper its
written on, or in this case the screen. That is why this Subcommittee needs to com-
plete these hearings and get about the important task of considering legislation. The
legislation needs to establish minimum standards governing the handling of infor-
mation online. It needs to give the FTC authority to promulgate more detailed
standards as necessary. And most importantly, it needs to provide adequate enforce-
ment authority. Without an effective means of enforcing consumer privacy rights,
consumers have no way to guarantee their rights are protected.
Mr. Chairman, again I thank you for holding this hearing, and I look forward to
working with you and the Ranking Member of the Subcommittee, Mr. Towns, on
legislation to make sure that the privacy rights of consumers that engage in online
transactions are fully protected.
Mr. STEARNS. And now we will have our first panel. Let me wel-
come all of you. Ms. Harriet Pearson, Chief Privacy Officer from
IBM; Ms. Jacqueline Hourigan, Director of Corporation Data Poli-
cies, General Motors Corporation; Mr. Zeke Swift, Director, Global
Privacy, Proctor & Gamble; Mr. Paul Misener, Vice President,
Global Public Policy, Amazon.com; and Mr. David Johnson, Vice
President, Direct Marketing, Lands End, Incorporated.
I welcome you. And Ms. Pearson, we will have your opening
statement.
7
STATEMENTS OF HARRIET P. PEARSON, CHIEF PRIVACY OFFI-
CER, IBM; JACQUELINE L. HOURIGAN, DIRECTOR, CORPORA-
TION DATA POLICIES, GENERAL MOTORS CORPORATION;
ZEKE SWIFT, DIRECTOR, GLOBAL PRIVACY, PROCTER &
GAMBLE; PAUL MISENER, VICE PRESIDENT, GLOBAL PUBLIC
POLICY, AMAZON.COM; AND DAVID A. JOHNSON, VICE PRESI-
DENT, DIRECT MARKETING, LANDS END, INC.
Ms. PEARSON. Thank you, Mr. Chairman. And members of the
committee, thank you for inviting IBM to share our views on this
important subject.
My name is Harriet Pearson. I am the Chief Privacy Officer for
IBM. We are the worlds largest information technology company,
and the worlds largest e-business services company. We believe
that from that vantage point we have a unique perspective on the
issue of privacy, dealing as we do with so many customers who use
information in their own businesses worldwide.
IBM has a longstanding commitment to privacy dating back to
the 1960s. We were among the first corporations to develop a glob-
al privacy policy, focusing first on our employees. We were the first
online advertiser to advertise and restrict our advertising only to
those Internet sites that posted privacy policies. We are a leader
in privacy and security technologies, with over 600 patents in that
area.
As Chief Privacy Officer, I manage our internal privacy policies,
help bring together our research and technology initiatives, and en-
gage customers and policymakers worldwide on this issue. The ef-
fort is complex for a large company like ours. For example, on the
web, ibm.com has over a million pages of content, and each site
needs to have a privacy statement. Privacy is a priority for IBM,
and for the health of our marketplace.
With that introduction, I would like first to comment upon how
we use data ourselves, since that is a topic of this hearing. Then
second, I would like to provide some observations from where we
sit on how others, thousands of our customers, use data for their
processes. And finally, I would like to close with several rec-
ommendations for how you as policymakers can continue building
a record in this area and further the public policy agenda.
I would like to turn to IBM first. The primary subject of this
hearing is how companies use data. We at IBM strive to use data
creatively and responsibly. Most of IBMs customers are organiza-
tions rather than individuals, but in both cases we use data to
identify likely customers, understand their needs, and to market to
them. We use data to offer the right solutions, deliver orders effi-
ciently, offer strong service and support, and to maintain good rela-
tionships.
These normal business functions require the collection and effec-
tive use of data about individuals. For example, when a consumer
purchases an IBM personal computer, whether it is an Aptiva or
a ThinkPad, we use information about their purchase, such as their
name, address, phone, e-mail address. And we collect their pref-
erences about whether or not they wish to be contacted. If they
choose to register with what we call our Owner Privileges program,
we use their information to provide a free product update news-
8
letter, prioritize telephone handling with a special toll-free number,

and other special offers.
We govern our use of information with corporate-wide policies
and practices on privacy. They govern how we use information
worldwide. These policies require us, globally, to provide individ-
uals notice of our information practices, and of the choices they can
make about the use of their data. We require, also, ourselves to im-
plement appropriate security and accuracy measures. And finally,
we also have contractual protections for customers when we share
data with our business partners and suppliers. And we do share
data with those suppliers and business partners; lots of companies
help us go to market and do business.
IBM is leading within the larger business trend of becoming ac-
countable on privacy. From our vantage point, working as we have
with nearly 20,000 businesses in the last several years imple-
menting and using the Internet to improve their businesses, we see
firsthand how they use information to improve, in turn, their serv-
ices and products for their consumers. These companies use con-
sumer information in ways very similar to those I have just stated.
And my experience is, personally and my colleagues, is that they
have the same level of concern for consumer satisfaction and pri-
vacy.
For example, one of our grocery chain customers uses informa-
tion about consumer purchases to improve their decisions about
which items to stock and when; to offer discounts; and to tailor pro-
motions to individual customers. Data helps them reduce costs, and
to run their company more efficiently, and to provide better service
for their consumers.
I have mentioned other examples in my written statement, and
you will of course hear from the other companies here today. I per-
sonally have spoken with 100 or more, hundreds, of companies in
the first 6 months of this year, and I can see significant growth in
awareness of privacy issues, and a commitment to doing the right
thing with respect to consumers. It is amazing to see how the level
of awareness has grown within the U.S. business community.
I believe the heart of the privacy challenge is that individuals
must understand how information about them is used and how
they benefit. They should be able to exercise choices and feel that
the system that handles their information is under control. They
need to feel confident that the relationships in which they enter are
going to be ones that respect their wishes.
It is important that we focus on these issues now and later. From
our vantage point, it is clear that we are still in the early stages
of a technological revolution that will change how we as businesses
deal with consumers, and it is only going to keep accelerating in
terms of how the technology lets us manage information. Therefore,
I conclude with a few thoughts on how you as policymakers can
move ahead.
The point, it seems to me, is to find a balanced approach between
government regulation, industry action, and individual responsi-
bility. And our view is that a framework for those issues and how
to approach it has emerged in this country. It is built on top of over
30 existing laws on privacy; layered on top of that, industry initia-
tives and proactive engagements by companies such as ours; and
9
on top of that, the kinds of tools and technologies that are available
now for companies to use.
We need to have a deliberative approach, as you, Mr. Chairman,
and the members of the committee have agreed to, to study these
issues and find out, where is the harm? Where are the issues that
need to be addressed? And how public policy fits into that picture.
I commend you for your approach. We at IBM would like to con-
tinue to be a constructive player in this process. And we thank you
for the opportunity to share our views.
[The prepared statement of Harriet P. Pearson follows:]
PREPARED STATEMENT OF HARRIET P. PEARSON, CHIEF PRIVACY OFFICER, IBM
CORPORATION
Thank you Mr. Chairman for inviting me to share IBMs views.
My name is Harriet Pearson and I am the Chief Privacy Officer of the IBM Cor-
poration. IBM is the largest information technology company in the world. We de-
velop and manufacture many of industrys most advanced technologies, including
computer systems, software, networking systems, storage devices and microelec-
tronics. We also are the worlds largest e-business services company, delivering stra-
tegic consulting and helping our clients to use information technology to improve
their internal operations and service to customers. This gives us a unique vantage
point from which to comment on privacy issues, working as we do on a global basis
with companies, governments, and organizations of all sizes.
IBM has a long standing commitment to privacy. In the 1960s, IBM developed one
of the first global privacy approaches for business, focused around employee privacy.
As the computer revolution progressed, we supported privacy legislation to protect
e-mail and medical information. IBM remains a leader in privacy and security tech-
nologycurrently holding over 600 patents for such technologies. IBM was the first
online advertiser to announce that it would only advertise on Internet sites that
posted privacy policies. Last year our CEO, Louis Gerstner, appointed me as IBMs
Chief Privacy Officer to confirm that IBM has the right internal policies in place,
to help unify our many privacy research and technology initiatives, and to engage
customers and policymakers worldwide about privacy issues.
Im certainly not alone at IBM in my efforts. We have a privacy team that works
across IBM in areas like marketing, development, services, human resources, and
legal. The effort is complex for large companies. IBM is an $88 billion company that
employs more than 300,000 people in the United States and operates in 160 coun-
tries. On the Web, ibm.com has more than a million pages of content and each site
needs to have a privacy statement.
Externally, IBMs Privacy Consulting and Technology teams are helping organiza-
tions implement sound privacy practices and giving them the tools to do so. At all
levels, IBMers speak out about the importance of privacy and are backing their
words with actions to help build a responsible marketplace that can earn peoples
trust. In short, privacy is a priority within IBM and it is important to the health
of the marketplace in which we operate.
HOW IBM USES CUSTOMER DATA
IBM policies and practices are designed to let us use data creatively and respon-
sibly. Most of IBMs customers are corporate rather than individual clients. In both
situations we work to identify likely customers, understand their needs, and market
to them. We strive to offer the right solutions, deliver orders efficiently, offer strong
service and support, and maintain good relationships in hopes of earning future
sales. All of these normal business functions require the collection and effective use
of data about individuals.
For example, when an individual or small business owner purchases an IBM
Aptiva or Thinkpad personal computer, we ask them for information about their
purchase, their name, address, phone, e-mail and preferences about being contacted.
As a special service for those customers willing to take the time to register with
our Owner Privileges program, we use this information to provide a free e-mail
newsletter, prioritized telephone handling through a special toll-free number, and
special offers for registered customers (e.g. coupon for free stamps from
Stamps.com).
We inform customers about their choices not to receive further marketing mate-
rials from IBM, and respect their preferences. We might also use third-party sources
10
like the National Change of Address Service managed by the U.S. Postal Service
to verify address changes. We thus use customer information to provide better and
more-tailored service, while solidifying the relationship with the customer.
The net result? In this and other situations involving customer information, IBM
is able to offer services better-targeted to those who might be interested, while at
the same time delivering fewer solicitations to people who are not.
IBM has a set of corporate-wide policies and practices to govern our actions when
we use personally identifiable data and we train IBM professionals who are bound
by these policies and practices. Our policies also require that we put in place con-
tractual protections when we share data with business partners and suppliers.
When IBM gathers personally identifiable information online, we offer notice of
our privacy practices and inform the individual of their choices regarding the use
of that data. In the case of e-mail solicitations, IBM requires that the individual
first give his or her permission before the e-mail is sent unless we already have an
existing business relationship. Our policies require that we safeguard the informa-
tion in our possession and limit its visibility.
IBM is leading within a larger business trend of taking action to be accountable
on privacy. In just the past few years, weve seen a rapid growth of the number of
online privacy statements, chief privacy officers, privacy technologies, seal pro-
grams, and in the U.S., targeted laws to protect sensitive information. This sub-
committee should be proud its work to explore what further needs to be done. To
best reap the benefits of the information economy and preserve privacy in the proc-
ess, there must be a balanced approach. IBM believes it should begin with an under-
standing of what the future holds.
THE FUTURE OF THE INFORMATION ECONOMY
Much has been said about the demise of the information economy in the wake of
the dot.com meltdown. In fact, however, we are still in the early stages of a global
technological transformation that will revolutionize our society over the next 25
years, driving our economy and exponentially expanding our opportunities. The
transformation is being fueled by the rapidly increasing power of the technology
itself and of information networks. These enable new models for business, health
care, education and government.
The Internet will transform every important business transaction and relation-
ship. This includes improving relations with customers, but much more. It also
means transforming relations with people who want to invest with you and people
who want to work for you. Companies also will use the Net to integrate supply
chains that connect an enterprise to markets and industries. Internal transactions,
such as order processing, fulfillment, logistics, manufacturing and employee proc-
esses, will be faster and less costly.
Companies will even be able to be in contact with their productsappliances, in-
dustrial machinery, consumer electronicsso the company can provide after-sale
service, understand product performance, and make improvements. Government will
evolve similarly, as taxpayers will expect not only online services, but also efficient
management. The benefit is very significant in hard dollar savings and cost avoid-
ance when transactions are performed on the Web as opposed to the old paper for-
mat. For example, IBM saves 70 percent on transaction costs when we use the Web
and we have seen many similar results across industry as a result of e-trans-
formations.
However, all this adds up to massive data collection and management and re-
quires a heightened awareness and commitment to privacy throughout our society.
My colleagues and I at IBM see first-hand how thousands of companies use infor-
mation to improve their service and products for consumersweve helped over
18,000 businesses successfully leverage the Internet. And these companies use con-
sumer information in ways very similar to the companies at todays hearing, and
with much the same level of concern for consumer satisfaction and privacy.
Here are some examples:
A multi-billion dollar US-based financial services firm uses state-of-the-art data-
base technology in a way thats allowed them to anticipate customer needs and
to respond rapidly. The company uses customer information to help it pinpoint
delinquencies early, so it can work harder and earlier with customers to help
them become solvent again. It can better tailor product offers to those who
might be interestedfor example, offering coupons toward phone service for
those customers who achieve a certain level of usage. The firms objective is to
treat all of its customers with the same level of respect and to discover what
is important to each customer.
11
A utility company uses the consumer information it collects to identify customers
that may be interested in additional services and market them accurately; to
further customize rates and offer analysis to specific customers; to generate per-
sonalized reporting much faster than it was able to previously; and to diversify
their service offerings and react quickly to new business opportunities.
A grocery store chain uses information about consumer product purchases to:
make better decisions about which items to stock and when; to offer customized
discounts and other offers on those products which an individual customer buys
or may be likely to be interested in; and overall to reduce cost and run the com-
pany more efficiently.
It is clear that the fullest fruits of the information revolution will remain un-
tapped unless individuals can understand how information about them is collected
and communicated to others. This lack of knowledge can drive feelings of mistrust,
fear, and a loss of control. Individuals also must understand that they benefit from
information exchanges in terms of savings, convenience, services, and jobs. Many
surveys show that people want products quickly and conveniently and want high
levels of service. They realize that some information exchange is needed.
Importantly, individuals must be able to exercise choices and feel that the system
is under control. They must feel confident entering into data sharing relationships
with banks, doctors, credit card companies, grocery stores and their government.
This is the heart of the privacy challenge.
NEED FOR A BROADER U.S. PRIVACY DEBATE
Agreement is emerging around the world that private sector initiatives are critical
to address privacy concerns in day-to-day commercial activities. Even in environ-
ments that embrace strict data processing regimes like the European Union, govern-
ments recognize that robust and accountable market-led measures must play a
prominent, if not preeminent, role. Europeans call it co-regulation. In the United
States it is often referred to as industry self-regulation.
Business leadership is crucial because governments do not have the manpower,
technology, or jurisdictional authority to comprehensively monitor consumer trans-
actions in cyberspace, nor would many people want government to carry out such
a task if it could. This brings me back to the question I posed earlier about pre-
serving privacy and the benefits of the information economy: Is there a balanced ap-
proach between government regulation, industry action, and individual responsi-
bility?
As this subcommittee established at an earlier hearing, approximately 30 federal
laws regulate privacy in some form. These laws tend to focus on (1) preventing
fraudulent or harmful uses of data (e.g. identity theft, employment discrimination,
deceptive trade practices, or surreptitious monitoring of e-mail) and (2) establishing
special rules and protections for sensitive information (e.g. financial, medical, and
childrens data).
Layered upon these protections are industry initiatives like privacy policies, seal
programs, industry codes of conduct, and suppression lists for telemarketing and
commercial e-mail. Furthermore, people can use privacy technologies to control cook-
ies or to surf, shop, and send e-mail anonymously. Many are free and some are
being built into the architecture of the online marketplace (e.g. the Platform for Pri-
vacy Preferences).
U.S. law and practice reflect a desire to balance individual privacy and the soci-
etal benefits of data availability (e.g., economic efficiency, free speech, accountable
government). This is a solid framework and should be the basis on which any new
or modified U.S. privacy regime is built.
Some have asked, where is the harm in data collection as a rhetorical question
to imply there is no harm or risk. We should ask the question in earnest. And then
answer it by devising responses to peoples real and legitimate concerns about data,
such as identity theft, financial fraud, disclosure of embarrassing information, em-
ployment discrimination, denial of insurance, government seizure, or nuisance
issues like spam. We should not create laws because of a vague notion that data
collection itself is harmful.
We need to examine the incidence of these concerns, identify their causes, assess
any harm they may cause, and then as leadersin government and the private sec-
torensure that an appropriate policy regime is in place. Too much of the privacy
debate now speculates on how commercial data might be used without going
through these steps. We should identify a spectrum of privacy concerns and link
them with protections afforded by current law and practice. Most Americans are un-
aware of the privacy protections afforded them now by the Fair Credit Reporting
12
Act, the FTC Act, the Network Advertising Initiative, the Privacy Act, the Electronic
Communications Privacy Act, and the Fourth Amendment.
Against this backdrop we should review proposals by Members of Congress and
consider what further actions might be appropriate for industry or the Administra-
tion. This subcommittee has demonstrated that privacy has many dimensions and
is complex, but I sense that we are beginning to gain a fuller knowledge and per-
spective that will allow us enter a more productive dialogue on privacy and to craft
appropriate responses.
In summary, we should build on current law where necessary and link solutions
to peoples top priorities. We appreciate the subcommittees thoughtful examination
of privacy issues and the critical role you will play in shaping balanced, appropriate
responses. IBM is committed to continue being a constructive player in this process.
For example, we have joined with other companies in groups such as the Privacy
Leadership Initiative to further the contributions that the private sector can make
to understanding these complex issues and communicating helpful information to
fellow business and consumers.
Most companies agree that any U.S. privacy regime should be a national solution,
not a patchwork of fifty conflicting regimes. The regime should encourage trans-
parency and choice. It should hold government and non-profit organizations account-
able to similar standards asked of industry. It should neither discriminate against
the Internet nor create new private rights of action.
In consummary, IBM believes that the best privacy model is a layered approach
of responsible industry action, consumer-empowering technology, and targeted gov-
ernment action that promotes transparency, protects sensitive information, and ap-
propriately addresses harmful and fraudulent data practices. This framework can
build consumer trust and remain flexible enough to allow companies to offer the
convenience, savings, services, and jobs that benefit our citizens.
Thank you for this opportunity to share our views.
Mr. STEARNS. Thank you.
Ms. Hourigan?
STATEMENT OF JACQUELINE L. HOURIGAN
Ms. HOURIGAN. Good morning, Mr. Chairman and members of
the subcommittee. My name is Jacqueline Hourigan, and I am the
Director of Corporate Data Policies for the General Motors Cor-
poration. I welcome the opportunity to appear today to discuss
GMs perspectives of this very complex issue of data privacy.
As you heard earlier, we have over 400,000 employees, 30,000
suppliers, and 8.7 million vehicles sold last year in over 200 coun-
tries. As a result, the collection, use, and security of personally
identifiable data, collected both on the Internet and in the off-line
world, are critically important issues for GM. As a result, we do ap-
preciate the deliberative and thoughtful approach this committee
has taken to this incredibly complex issue.
Our customers trust is a priority for GM, and we are working
to balance our customers needs and expectations with the benefits
available from the free flow of information. Specifically, we seek to
align our internal policies and processes with customer expecta-
tions and data privacy laws worldwide.
We collect information through a variety of means, including
standard market research and response techniques; visits to GM
web sites; product purchase channels; as well as in-vehicle tech-
nology designed to enhance the safety and security of our drivers
on the road.
We are also sensitive to the privacy concerns of our employees,
as well as our need to effectively deploy and support our work force
on a worldwide basis. The ability to transfer human resource data
across borders is extremely critical for multinational companies
such as GM. We strive to balance very significant and legal and so-
13
cietal expectations for privacy with the objective of enhancing our

customers ownership experience. With a better understanding of
our customers, we can make their shopping, buying, and owning
experience more enjoyable, and make the entire process more effi-
cient and cost-effective for GM.
Because the development lead time for vehicles can be up to 3
years long, it is important for us to understand our customers pref-
erences and the market trends. For example, data on customer pur-
chasing and usage patterns can help us target products more effec-
tively to meet consumer needs, and also to tailor messages and pro-
motions to the interests of current and prospective customers.
We have built a data base about GM vehicle owners to facilitate
after-market sales, repairs, next vehicle purchase, and to cross-
market the broad range of GM products and services. Customer in-
formation is also critical to our U.S. vehicle warranty data base,
which is used in the event of a safety or customer satisfaction re-
call. In addition, customer information may be shared with other
parts of the company, so we can enhance the shopping, buying, and
owning experiences of our customers with related information and
services.
The emergence of new technologies has facilitated more one-to-
one communications with our customers. Consequently, we are
moving toward a process whereby the consumer will control the
type of information they receive, and the manner in which they re-
ceive it. The benefits to the customer of this data-rich analysis and
cross-marketing focus are increased satisfaction with products and
services that are better suited to their needs, and marketing efforts
that provide meaningful benefit at the appropriate time and
through the communication channel of the consumers choice.
Attention to the issue of data privacy has been elevated to the
highest levels of management at GM. Last fall, a corporate officer
assumed responsibility for developing a global data privacy strat-
egy, and my position, which focuses on coordinating our global
business units implementation of GMs privacy strategy, was also
created.
We are implementing the strategy on a scheduled basis through-
out GMs global marketplace, through the adoption of privacy state-
ments by individual GM business units. The privacy statements
will vary by business unit, and the applicable laws, customs, and
culture of particular countries. GM already has in place a global in-
formation security policy that provides guidelines for appropriate
use and handling of GM data.
Again, we appreciate the opportunity to be here today to discuss
GMs approach to data privacy, and our ongoing commitment to
honoring our customers privacy preferences. We commend this
committee for taking a thoughtful approach to this complex issue,
and hope that you will continue to seek industrys input to ensure
the approach adopted does not result in legislation that could be
burdensome, impractical, and could produce unintended con-
sequences, such as higher consumer costs, prevention of legitimate
information collection, and the creation of obstacles to the free flow
of information.
Thank you very much.
[The prepared statement of Jacqueline L. Hourigan follows:]
14
PREPARED STATEMENT OF JACQUELINE L. HOURIGAN, DIRECTOR OF DATA POLICIES,
GENERAL MOTORS CORPORATION
Mr. Chairman and members of the subcommittee, my name is Jacqueline
Hourigan, and I am the Director of Data Policies for the General Motors Corpora-
tion. I welcome the opportunity to appear before the members today to discuss GMs
perspectives on the issue of data privacy.
GM appreciates the deliberative and thoughtful approach this committee has
taken to the privacy issue. For decades we at GM have worked hard to build strong
relationships with the millions of GM customers. These relationships, based on high
quality and exciting products and services, are critically important to us. The trust
we have established and continue to reinforce through our policies and practices is
key to General Motors success in this extremely competitive automotive and finan-
cial services market.
By way of background, General Motors is the worlds largest industrial corpora-
tion. GM designs, manufacturers, and markets cars, trucks, heavy-duty trans-
missions, and locomotives worldwide. Other substantial business interests include
Hughes Electronics Corporation and General Motors Acceptance Corporation
(GMAC). GM cars and trucks are sold in 200 countries and the company has manu-
facturing or assembly operations in more than 30 countries. GM employs 400,000
people worldwide and partners with over 30,000 suppliers. In 2000, GM sold 8.7 mil-
lion vehicles worldwide and had revenues of $185 billion.
IMPORTANCE OF THE PRIVACY ISSUE TO GM
The collection, use, and security of personally identifiable data collected on the
Internet and in the off-line world are important issues for GM. We seek to align
our internal processes and policies with consumer expectations and data privacy
laws worldwide. We collect information through a variety of means, such as tradi-
tional market research and response techniques, visits to GM web sites, subscrip-
tions to OnStar, insurance, finance or mortgage products with GMAC, and through
in-vehicle technology designed to enhance our customers safety and security.
GMs privacy concerns also apply to data GM maintains on employees. A key busi-
ness objective for GM is the effective deployment and support of our workforce. The
ability to transfer human resource data across borders is extremely important to
companies that have a global footprint, such as ours.
USES OF DATA AND BENEFITS TO CUSTOMERS
GM strives to balance the very significant legal and societal expectations for pri-
vacy with the objective of enhancing our customers ownership experience. With a
better understanding of our customers, we can make their shopping, buying, and
owning experience more enjoyable and make the entire process more efficient and
cost effective for GM.
Because the development lead-time for vehicles ranges from approximately 24 to
36 months, it is important for us to understand customer preferences and market
trends. At GM, we apply predictive modeling techniques to the data provided us by
our customers to assess trends and forecast our customers future preferences. The
better we understand our customers and where we are gaining or losing sales, the
better we can focus our product and marketing priorities.
We also optimize our ongoing marketing efforts by tailoring relevant messages
and promotions to our current and prospective customers. Customers generally own
their vehicles for many years (almost a decade on average) and we have built a sub-
stantial database with information on GM vehicle owners that we use to facilitate
after-market sales, repairs, next vehicle purchase, and to cross-market the broad
range of GM products and services. It is important to note that customer informa-
tion is also compiled to populate our U.S. vehicle warranty database so that we can
contact customers in the event of a safety or customer satisfaction recall.
Customer information may be shared with other parts of the company. By offering
a suite of products and services to our customers their learning, shopping, buying,
and owning experience is enhanced. By way of example, GMACs real estate oper-
ation is focused on coordinating realtor, mortgage, closing, moving, homeowner, and
relocation services that are critically important to anyone buying a new home. By
sharing customer information within the GMAC organization, we can create a seam-
less service delivery platform that gives time back to the customer and creates real
value for them.
The emergence of new technologies has facilitated more one-to-one communica-
tions with our customers. Consequently, we are moving toward a process whereby
15
the consumer controls the type of information they receive and the manner in which
they receive it.
The benefits to the customer of this data-rich analysis and cross-marketing focus
are increased satisfaction with products and services better suited to their needs
and marketing efforts that provide meaningful benefit at the appropriate time and
through the communication channel of their choice.
WHAT DATA HANDLING PRACTICES DOES GM EMPLOY
Attention to the issue of data privacy has been elevated to the highest levels of
management at General Motors. Last fall, a corporate officer assumed responsibility
for developing a global data privacy strategy for the corporation, and my position,
which focuses on coordinating our business units implementation of GMs privacy
strategy globally, was also created.
GM is implementing the strategy on a scheduled basis throughout GMs global
marketplace through the adoption of privacy statements by individual GM business
units. These privacy statements will vary by business unit and the applicable laws,
customs, and culture of particular countries. GM already has in place a global infor-
mation security policy that provides guidelines for appropriate use and handling of
data.
CONCLUSION
Again, we appreciate the opportunity to be here today to discuss GMs approach

to data privacy and our commitment to respecting our customers privacy pref-
erences. We commend this committee for taking a thoughtful approach to this com-
plex issue. We hope that you will continue to seek industrys input to ensure the
approach adopted does not result in legislation that would be burdensome, imprac-
tical and would produce unintended consequences. These unintended consequences
could include higher consumer costs, prevention of legitimate information collection,
and the creation of obstacles to the free flow of information.
Thank you.
Mr. Swift?
STATEMENT OF ZEKE SWIFT
Mr. SWIFT. Thank you, Chairman Stearns and members of the
subcommittee. I am Zeke Swift, Director of Global Privacy for the
Proctor & Gamble Company.
P&G markets 300 brands of consumer products to, as the chair-
man already mentioned, 5 billion consumers in over 140 countries.
These include leading brands like Tide, Pantene, Pringles, and
Iams. We are based in Cincinnati, Ohio, and have on-the-ground
operations in over 70 countries.
Privacy is a public policy issue long associated with direct mar-
keting and high-tech industries. So why does P&G, a consumer
products manufacturer, care about privacy? Let me summarize our
interest in three points.
First, information about consumers is central to a consumer
products business. We rely on information to better understand
consumer needs and produce products, information, and services to
better meet them. As a result, we have an enormous stake in fos-
tering an environment in which consumers confidently share their
information with us. Creating this climate includes making sure
that our practices meet or exceed consumer expectations, and con-
tributing to industry and policy initiatives to enable other compa-
nies to do the same.
Second, new technologies are enabling us to deliver benefits that
were previously impossible. When consumers share information
with us, we can now deliver tailored offers, such as samples or cou-
pons, customized products and information, or opportunities to test
16
new products not yet available in stores. This increases satisfaction

among consumers who are interested, and ultimately reduces costs
of marketing to consumers who are not. We want to preserve the
ability to take full advantage of current and emerging technology
to target consumer needs.
Third, handling personal data is a complex issue for a company
the size of P&G. We receive consumer data from sources including
off-line promotions, online web sites, consumer relations contacts,
market research, and clinical studies, just to name a few. We oper-
ate in over 70 countries. We have about 200 corporate entities, and
relationships with hundreds of vendors and contractors. We have
about 375 web sites globally. Administrative processes such as
those required by recent European legislation impose an
unimagined burden for a company like ours, with little or no sub-
stantive benefit to the consumer. We hope that any steps taken in
the United States reflect this learning.
Now, let me share two examples of more sophisticated uses of
data to meet consumer needs. Both involve interactions with con-
sumers over the Internet.
First, with Reflect.com, a woman provides information about her
physical attributes and lifestyle preferences, and then creates per-
sonalized skin care, hair care, fragrance, and cosmetic products
from some 50,000 possible product combinations. The items are de-
livered to her door in a personalized package within 3 to 7 business
days.
Second, at our Pampers.com web site, parents can sign up for a
free monthly newsletter tailored to the age by month of their baby,
and delivered to their e-mail inbox. The newsletter offers expert in-
formation about raising children, tips from bathing to discipline,
coupons, and opportunities to try new products like our Bibster dis-
posable baby bibsjust a word from our sponsor.
In order to deliver these benefits, we collect, obviously, data such
as a persons name and address. To increase the tailoring of those
offers, we may collect demographic, lifestyle, or product usage in-
formation. Consumers give us most of the information we use. In
some cases, we get additional information from data compilers such
as Acxiom, Equifax, and Experian. And Ive given them all equal
time because they will be following us in the next panel.
We do not sell personal information. We do share information
with vendors acting on our behalf to process data or fulfill a pro-
motion. We do not share data with companies beyond our vendors
without the individuals consent.
We are committed to keeping data secure, and take precautions
against loss, misuse, or alteration of the data. These measures in-
clude physical security, controlled access to data, and encryption
for data transmission. We require our vendors and partners to pro-
vide privacy practices equivalent to our own, and we forbid them
from any additional use of our data.
In conclusion, we believe that understanding consumer needs, de-
livering consumer benefits, and generating consumer trust, are
three pillars that should be at the center of any policy discussion
on privacy. If I may paraphrase Representative DeGette from an
earlier hearing, there are two secrets about privacy: taking care of
17
personal information is good for business; and sharing personal in-

formation is good for consumers.
Thank you very much.
[The prepared statement of Zeke Swift follows:]
PREPARED STATEMENT OF ZEKE SWIFT, DIRECTOR, GLOBAL PRIVACY, THE PROCTER
& GAMBLE COMPANY
INTRODUCTION
Thank you, Chairman Stearns and members of the Subcommittee, for the oppor-
tunity to testify on this important issue. My name is Zeke Swift and I am Director,
Global Privacy for The Procter & Gamble Company.
As background, Procter & Gamble markets 300 brands of consumer products to
nearly five billion consumers in over 140 countries. These brands include Tide,
Swiffer, Crest, Pantene Pro-V, Pringles, Pampers, Olay, Iams and Vicks. We are
based in Cincinnati, Ohio and have on-the-ground operations in over 70 countries.
KEY MESSAGES
Privacy is a public policy issue long associated with the high tech and direct mar-
keting industries. So why does P&G, a consumer products manufacturer, care about
the privacy issue? Let me summarize our interest in three key points.
1. First, information about consumers is central to our business. We rely on infor-
mation to better understand consumer needs, and produce superior products, infor-
mation and services to meet them. As a result, we have an enormous stake in fos-
tering an environment of trust in which consumers confidently share their informa-
tion with us. Creating this climate includes making sure that our practices meet or
exceed consumer expectations, and contributing to industry and policy initiatives
that enable other companies to do the same.
2. Second, new technologies are enabling us to deliver a level of benefit on the basis
of personal information that was previously impossible. When consumers share in-
formation with us, we now can deliver tailored offers such as samples or coupons,
opportunities to test new products, or customized products and information. We
want to preserve the ability to take full advantage of current and emerging tech-
nology to meet consumer needs.
3. Third, privacyor more broadly the way we handle personal datais a complex
issue for a company the size of P&G. We receive consumer data from many sources
including offline promotions, online websites, Consumer Relations contacts, market
research and clinical studies. As mentioned, we operate in over 70 countries. We
have about 200 corporate entities and relationships with hundreds of vendors and
contractors. Administrative processes, such as those imposed by recent European
legislation, impose unimaginable burdens for companies like ours with little or no
substantive benefit to consumers. We hope that any steps taken in the United
States would reflect this learning.
P&G PRIVACY PRACTICES
Now, let me share a couple of points about our overall approach to privacy.
First, were guided by two fundamental principles:
(a) We strive to treat information provided by individuals as their own, which has
been entrusted to us; and
(b) We strive for transparency with consumers about how their information is used.
We inform people about how we handle information they provide us. We give
them choices about further communication with P&G or further uses of their
data. We offer them reasonable access to data theyve provided to review it, cor-
rect it or ask us not to use it.
Second, we have a long history of responsible treatment of personal information.
Our employee privacy policy, for example, dates back more than 20 years. And, we
posted our first on-line privacy statement in 1997.
Third, for consistencys sake weve chosen to take a global approach to privacy.
We have a single global privacy policy. We have a global structure for developing
and implementing our information practices worldwide. We are building a global IT
system to implement and monitor our policy globally.
CONSUMER BENEFITS
Now let me provide some examples of the way were using consumer information
today. At the most elemental level, when consumers share their information with
18
us, we can give them information, services and products tailored to their needs or
interests. These may include new product announcements, free sample offers, par-
ticipation in contests and sweepstakes, and opportunities to test new products not
yet available in stores.
But at a more sophisticated level we use interactions with consumers over the
Internet to deliver personalized or customized products and services. For example:
1. With Reflect.com, a woman provides information about her individual attributes
and lifestyle and creates personalized skin care, hair care, fragrances and cosmetics.
The items are delivered to her door in a personalized package within 3 to 7 business
days. The beauty products are produced from some 50,000 possible product combina-
tions based on P&G formulas.
2. Our Pampers.com website strives to be the best resource on the web for parents
and parents-to-be. It offers parents an opportunity to sign up for a free monthly
newsletter from the Pampers Parenting Institute, tailored to the age of their baby
and delivered to their e-mail inbox. The newsletter is full of information about child
rearing written by experts, offers tips from bathing to discipline, coupons, and op-
portunities to sample new products like our disposable Bibster baby bibs.
HOW WE COLLECT AND USE PERSONAL INFORMATION
In order to deliver offers such as these, we collect data such as a persons name,
address, email address or phone number so that we may contact them or send them
items they have requested. To increase the likelihood that our offers will be of inter-
est, we collect demographic information such as age or gender, lifestyle information
such as household status or personal interests, and other relevant information such
as product usage and preferences.
Consumers volunteer most of the information we store in our databases. In some
situations we use additional demographic information purchased from data
aggregators such as Acxiom, Equifax or Experian. The data provided by aggregators
is from publicly available sources such as telephone directories and public records,
or from information reported by consumers themselves through vehicles such as
warranty cards.
We seek to build our relationships with consumers on the basis of transparency
and trust. We offer individuals who have provided us with information choices about
further communications. We ask whether or not a consumer would like to be con-
tacted about additional offers or services. We seek wherever we can to provide con-
sumers with a convenient means to tell us, yes or no, whether we may use the infor-
mation they provided to re-contact them.
We do not sell personal information. We obviously do share data with vendors act-
ing on our behalf to fulfill a promotion. We do not share data with companies be-
yond our vendors without the individuals consent.
We are committed to keeping data secure and take precautions against loss, mis-
use or alteration. These measures include physical security, controlled access to data
and encryption for data transmission. We require vendors, partners and contractors
to provide equivalent privacy measures and forbid them to use data for any addi-
tional purpose.
SUMMARY
In conclusion, we believe that understanding consumer needs, delivering con-

sumer benefits and generating consumer trust are the issues at the heart of any
policy discussion on privacy. If I may paraphrase Representative DeGette from an
earlier subcommittee hearing, There are two secrets about privacy: privacythe
stewardship of personal informationis good for business, and information sharing
is good for consumers.
Thank you.
Mr. Misener, your opening statement?
STATEMENT OF PAUL MISENER
Mr. MISENER. Thank you, Chairman Stearns and members of the
subcommittee. My name is Paul Misener. I am the Vice President
for Global Public Policy at Amazon.com. Thank you very much for
inviting me here to testify today.
Mr. Chairman, Amazon.com is pro-privacy. The privacy of per-
sonal information is important to our customers, and thus it is im-
19
portant to us. Indeed, as Amazon.com strives to be the Earths

most customer-centric company, we must provide our customers
the very best shopping experience, which is a combination of con-
venience, personalization, privacy, selection, savings, and other fea-
tures. At Amazon.com, we manifest our commitment to privacy by
providing our customers notice, choice, access, and security.
Before I describe these four facets of privacy protection at Ama-
zon.com, please allow me to explain how we use customer informa-
tion. In general, Amazon.com uses personally identifiable customer
information to personalize the shopping experience at our store.
Rather than present an identical storefront to all visitors, our long-
standing objective is to provide a unique store to every one of our
customers, now totaling well over 35 million people. In this way,
our customers may readily find the items they seek, and discover
other items of interest.
Amazon.com now inserts, among the familiar tabs across the top
of our web pages, a special tab with our customers name on it.
When I visited Amazons site on Monday, for example, the tabs in-
cluded books, electronics, DVDs, and Pauls store. By clicking on
the Pauls store tab, Amazon.com introduced me to six smaller
stores, including one named Your kitchen and housewares store,
which featured a Calphalon professional nonstick 5-quart sauce-
pan, which I promptly bought, and it was delivered yesterday.
Now, it was no coincidence, of course, that Amazon.com rec-
ommended this saucepan to me, and that I liked it. Using so-called
collaborative filtering techniques, which compare my past pur-
chases to anonymous statistics on thousands of other Amazon.com
purchases, Amazon.com computers automatically, and correctly,
predicted that I would want this saucepan. Similar personalization
is provided in the traditional Amazon.com recommendations on the
home page, and purchase follow-up recommendations in the New
for You feature, and in some varieties of e-mail communications.
Obviously, Amazon.coms personalization features directly benefit
our customers. And just as obviously, these features require the
collection and use of personally identifiable customer information.
The question then is how do we protect the privacy of this informa-
tion?
As I indicated earlier, Amazon.com manifests its privacy commit-
ment by providing notice, choice, access, and security. Amazon.com
was one of the very first online retailers to provide a clear and con-
spicuous privacy notice. We also provide our customers meaningful
privacy choices. In some instances we provide opt-out choice, and
in other instances we provide opt-in choice.
We are an industry leader in providing our customers access to
the information we have about them. They may easily view and
correct, as appropriate, their contact information, payment meth-
ods, purchase history, and even the clickstream record of products
they view while browsing Amazon.coms online stores. And finally,
Mr. Chairman, Amazon.com vigilantly protects the security of our
customers information.
It is very important to note here that, other than an obligation
to live up to pledges made in our privacy notice, there is no legal
requirement for Amazon.com to provide our customers the privacy
protections that we do. So why do we provide notice, choice, access,
20
and security? The reason is simple: privacy is important to our cus-

tomers, and thus it is important to Amazon.com. We simply are re-
sponding to market forces. Indeed, if we didnt make our customers
comfortable shopping online, they will shop at established brick-
and-mortar retailers, who are our biggest competition.
These market realities lead us to conclude that there is no inher-
ent need for privacy legislation. That said, we have been asked
whether Amazon.com could support a privacy bill. Perhaps we
could, but only under certain circumstances.
At the Federal level, Amazon.com could support a bill that would
require notice and meaningful choice, but only if it would pre-empt
inconsistent State laws, bar private rights of action, and address
both online and off-line activities. Please allow me to explain each
of these points.
First, any Federal privacy legislation applied to online activities
must pre-empt inconsistent State laws, for it would be virtually im-
possible for a nationwide web site to comply with conflicting rules
from multiple jurisdictions.
Second, Amazon.com could support a privacy bill only if it would
bar private rights of action. The threat of aggressive private litiga-
tion would companies to balkanize their privacy notices for the
sake of legal defensibility, at the expense of simplicity and clarity.
Third and finally, Amazon.com believes that privacy legislation
must apply equally to online and off-line activities. It makes little
sense to treat information collected online differently from the
same, and often far more sensitive, information collected through
other media, such as mail-in warranty registration cards, point-of-
sale purchase tracking, and magazine subscriptions.
On one hand, such parity is necessary in fairness to online com-
panies. But more importantly, it would be misleading to American
consumers to enact a law that applies only to online entities, be-
cause for the foreseeable future the putative protections of such a
law would apply only to a very tiny fraction of consumer trans-
actions. Last year, online sales accounted for less than 1 percent
of all retail business. Obviously, any law that addresses only online
transactions could not benefit consumers much at all compared to
one that equally addresses online and off-line activities.
Moreover, to the extent it provides any real consumer benefits,
a law that addresses only online activities would have the perverse
effect of failing to provide any benefits to those on the less fortu-
nate side of the digital divide. Indeed, consumers who, because of
economic situation, education, or other factors, are not online,
would receive no benefits of a new online-only law.
In sum, Mr. Chairman, Amazon.com is pro-privacy in response to
consumer demand and competition. We believe market forces are
working, and thus believe there is no inherent need for legislation.
Nonetheless, Amazon.com could support limited Federal legislation,
but only if it pre-empts State laws, only if it bars private rights of
action, and only if it applies to off-line as well as online activities.
Thank you again for inviting me to testify. I look forward to your
questions.
[The prepared statement of Paul Misener follows:]
21
PREPARED STATEMENT OF PAUL MISENER, VICE PRESIDENT, GLOBAL PUBLIC POLICY,
AMAZON.COM
Chairman Stearns, Mr. Towns, and members of the Subcommittee, my name is
Paul Misener. I am Amazon.coms Vice President for Global Public Policy. Thank
you for inviting me to testify today.
A pioneer in electronic commerce, Amazon.com opened its virtual doors in July
1995 and today offers books, electronics, toys, CDs, videos, DVDs, kitchenware,
tools, and much more. With well over 30 million customers in more than 160 coun-
tries, Amazon.com is the Internets number one retailer.
Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal information is
important to our customers and, thus, is important to us. Indeed, as Amazon.com
strives to be Earths most customer-centric company, we must provide our customers
the very best shopping experience, which is a combination of convenience, personal-
ization, privacy, selection, savings, and other features.
At Amazon.com, we manifest our commitment to privacy by providing our cus-
tomers notice, choice, access, and security. Before I describe these four facets of pri-
vacy protection at Amazon.com, please allow me to explain how we use customer
information.
In general, Amazon.com uses personally identifiable customer information to per-
sonalize the shopping experience at our store. Rather than present an identical
storefront to all visitors, our longstanding objective is to provide a unique store to
every one of our customers, now totaling well over 35 million people. In this way,
our customers may readily find items they seek, and discover other items of inter-
est. If, for example, you buy a Stephen King novel from us, we likely will rec-
ommend other thrillers the next time you visit the site.
Amazon.com now inserts, among the familiar tabs atop our Web pages, a special
tab with the customers name on it. When I visited Amazon.coms site yesterday,
for example, the tabs included Books, Electronics, DVDs, and Pauls Store. By
clicking on the Pauls Store tab, Amazon.com introduced me to six smaller stores,
including one named, Your Kitchen and Housewares Store, which featured a
Calphalon professional nonstick 5-quart saucepan (which I promptly bought).
It was no coincidence, of course, that Amazon.com recommended this saucepan to
me, and that I liked it: using so-called collaborative filtering techniques, which
compare my past purchases to anonymous statistics on thousands of other Ama-
zon.com purchases, Amazon.com computers automaticallyand correctlypredicted
that I would want the saucepan.
Similar personalization is provided in the traditional Amazon.com recommenda-
tions on the home page, in purchase follow-up recommendations, in the New for
You feature, and in some varieties of email communications. Customers can im-
prove the quality of these recommendations in several ways, including by removing
individual Amazon.com purchases from consideration, and by rating the products
they buy at Amazon.com or elsewhere. For example, I bought my niece a few CDs
from the singer Britney Spears but, because I did not want similar music rec-
ommended to me, I removed these CDs from the list of items Amazon.com uses to
produce my recommendations. In addition, on Amazon.coms site, I can rate a CD
that I might have purchased at Wal-Mart to improve the quality of my music rec-
ommendations.
Obviously, Amazon.coms personalization features directly benefit our customers.
And, just as obviously, these features require the collection and use of personally
identifiable customer information. The question, then, is how do we protect the pri-
vacy of this information?
As I indicated earlier, Amazon.com manifests its privacy commitment by pro-
viding notice, choice, access, and security.
Notice. Amazon.com was one of the first online retailers to post a clear and con-
spicuous privacy notice. And last summer, we proudly unveiled our updated and en-
hanced privacy policy by taking the unusual step of sending email notices to all of
our customers, then totaling over 20 million people.
Choice. We also provide our customers meaningful privacy choices. In some in-
stances, we provide opt-out choice, and in other instances, we provide opt-in choice.
For example, Amazon.com will share a customers information with a wireless serv-
ice provider only after that customer makes an opt-in choice. We simply are not in
the business of selling customer information and, thus, beyond the very narrow cir-
cumstances enumerated in our privacy notice, there is no information disclosure
without consent.
Access. We are an industry leader in providing our customers access to the infor-
mation we have about them. They may easily view and correct as appropriate their
22
contact information, payment methods, purchase history, and even the click-
stream record of products they view while browsing Amazon.coms online stores.
Security. Finally, Amazon.com vigilantly protects the security of our customers
information. Not only have we spent tens of millions of dollars on security infra-
structure, we continually work with law enforcement agencies and industry to share
security techniques and develop best practices.
It is very important to note that, other than an obligation to live up to pledges
made in our privacy notice, there is no legal requirement for Amazon.com to provide
our customers the privacy protections that we do.
So why do we provide notice, choice, access, and security? The reason is simple:
privacy is important to our customers, and thus it is important to Amazon.com. We
simply are responding to market forces.
Indeed, if we dont make our customers comfortable shopping online, they will
shop at established brick and mortar retailers, who are our biggest competition.
Moreover, onlinewhere it is virtually effortless for consumers to choose among
thousands of competitorsthe market provides all the discipline necessary. Our cus-
tomers will shop at other online stores if we fail to provide the privacy protections
they demand.
These market realities lead us to conclude that there is no inherent need for pri-
vacy legislation. That said, we have been asked whether Amazon.com could support
a privacy bill. Perhaps we could, but only under certain circumstances.
Under no circumstances would we support state or local laws governing online
privacy. Not only would such laws be constitutionally suspect, a nationwide website
like Amazon.com would find it difficult if not impossible to comply with fifty or more
sets of conflicting rules.
At the federal level, Amazon.com could support a bill that would require notice
and meaningful choice, but only if it would preempt inconsistent state laws, bar pri-
vate rights of action, and address both online and offline activities. Please allow me
to briefly explain each of these points.
Preempt State Law. First, any federal privacy legislation applied to online ac-
tivities must preempt inconsistent state laws, for it would be virtually impossible
for a nationwide website to comply with conflicting rules from multiple jurisdictions.
Even though such laws most likely would fail a constitutional challenge, the expense
and uncertainty of litigation should be avoided with a Congressionally adopted ceil-
ing.
Bar Private Rights of Action. Second, Amazon.com could support a privacy bill
only if it would bar private rights of action. The threat of aggressive private litiga-
tion would cause companies to balkanize their privacy notices for the sake of legal
defensibility, at the expense of simplicity and clarity. Ten-page privacy statements
and fine-print legalese would become the norm. A regulatory body such as the Fed-
eral Trade Commission, on the other hand, could balance the competing interests
of legal precision and simplicity. A class action plaintiffs lawyer would have no such
motivation.
In addition, the aforementioned uniformity necessary to run nationwide websites
would be destroyed by a host of trial lawyers suing companies all across the country.
A single authority, such as the FTC, could provide the nationwide approach that
private litigation cannot.
Parity with Offline Activities. Third, and finally, Amazon.com believes that
privacy legislation must apply equally to online and offline activities, including the
activities of our offline retail competitors. It makes little sense to treat information
collected online differently from the sameand often far more sensitiveinforma-
tion collected through other media, such as offline credit card transactions, mail-in
warranty registration cards, point-of-sale purchase tracking, and magazine subscrip-
tions.
On one hand, such parity is necessary in fairness to online companies. It simply
would not be equitable to saddle online retailers with requirements that our brick-
and-mortar or mail order competitors do not face.
But more importantly, it would be misleading to American consumers to enact a
law that applies only to online entities because, for the foreseeable future, the puta-
tive protections of such a law would apply only to a tiny fraction of consumer trans-
actions. Last year, online sales accounted for less than one percent of all retail busi-
ness. Obviously, any law that addresses only online transactions could not benefit
consumers much at all compared to one that equally addresses online and offline
activities such as using a grocery store loyalty card or subscribing to a magazine.
Moreover, to the extent it provides real consumer benefits, a law that addresses
only online activities would have the perverse effect of failing to provide any bene-
fits to those on the less fortunate side of the digital divide. Indeed, consumers who,
23
because of economic situation, education, or other factors, are not online would re-
ceive no benefits from a new, online-only law.
In sum, Mr. Chairman, Amazon.com is pro-privacy in response to consumer de-
mand and competition. We believe market forces are working and, thus, believe
there is no inherent need for legislation. We firmly oppose the adoption of any non-
federal privacy law that addresses online activities. Nonetheless, Amazon.com could
support limited federal legislation, but only if it preempts state laws, only if it bars
private rights of action, and only if it applies to offline as well as online activities.
Thank you again for inviting me to testify, I look forward to your questions.
Mr. Johnson, your opening statement?
STATEMENT OF DAVID A. JOHNSON

Mr. JOHNSON. Mr. Chairman and members of the sub-
committee
Mr. STEARNS. You might just pull the microphone a little closer
and just maybe straighten ityes.
Mr. JOHNSON. Okay. Mr. Chairman and members of the sub-
committee, I am pleased to appear before you today on behalf of
the National Retail Federation, and thank you for the invitation to
speak on this important issue. My name is David Johnson, and I
am Vice President of Direct Marketing for Lands End in
Dodgeville, Wisconsin.
Although we are now an international merchant, many of the
things that today sets Lands End apart are those same values on
which our founder, Gary Comer, built the business he founded in
1963. Indeed, one of the principles that continues to guide our busi-
ness states: We believe that what is best for the customer is best
for all of us.
When people are asked to define good customer service, they
commonly say that it involves dealing with consumers honestly and
fairly, a view that no one can seriously dispute. Many others also
view a component of good customer service as treating everyone
equally. Let me suggest, however, that equal treatment is not good
customer service. Rather, great customer service recognizes the
very unique wants and needs of each individual consumer, and
strives to meet those needs. Great customer service uses all avail-
able information to assess each individuals particular tastes, and
then delivers goods and services that meets those desires. In short,
rather than treating all customers equally, great customer service
is built on the premise of treating different customers differently.
In testimony before Congress in July 1999, Federal Reserve
Board Governor Edward Gramlich stated: Information about indi-
viduals needs and preferences is the cornerstone of any system
that allocates goods and services within an economy. The more
such information is available, he continued, the more accurately
and efficiently will the economy meet those needs and preferences.
What Governor Gramlich was talking about on a macro level,
Lands End is striving to do on a micro level.
The information required to provide these tailored interactions
with our customers does come from a wide variety of sources. We
look to our customer purchase history and other acquired informa-
tion in order to more reliably assess our customers needs and
wants. By assessing information on purchases that consumers actu-
ally make, and services that they actually use, consumers are of-
24
fered products and services that respond to their demonstrated

needs and desires. This greatly reduces the cost of developing those
products and services, and the risk that they will be out of line
with consumer demand, thereby reducing the price that consumers
pay for them, and mitigating the inconvenience and delay associ-
ated with stopping consumers to ask about likely preferences.
Admittedly, we often hear complaints about customers receiving
mailings that they dont want. But Lands Endand I strongly sus-
pect every other direct merchanthas no interest in sending cata-
logues or other information to customers that have no desire to re-
ceive it. Frankly, that is a waste of our time and money, and a dis-
service to the customer. Thus, we use all information available to
us to assess the likelihood that any catalogue sent will be welcome
in the customers home. To the extent that cataloguers send mail-
ings to people who are not interested in the offering, I suggest that
the problem is not one of too much information sharing, but rather
too little reliable information, forcing businesses to employ mass
marketing techniques instead of more targeted efforts to a more ap-
propriate and appreciative audience.
Moreover, the ability to collect and assess individual purchasing
activity gives Lands End the ability to provide services to cus-
tomers that we might not otherwise. As an example, Lands End
sells its products with a guarantee that is second to none. Under
our Guaranteed. Period. policy, any customer can return any
product, at any time, for any reason. A guarantee this sweeping is
by its nature subject to abuse, and by offering it Lands End has
placed unprecedented faith in its customers that they will not ex-
ploit the policy.
But we comfort in offering our Guaranteed. Period. policy, be-
cause it is enhanced by the ability of individualized purchasing and
return data that allow us to track and check abuses. In short, this
information ensures that the few that might exploit the guarantee
dont ruin it for the overwhelming majority of our customers that
are fair and reasonable.
And consistent with the trust and loyalty that our customers
have shown us, Lands End is also quite responsible with the infor-
mation we share with others. Indeed, the only data we currently
provide to others are one-time use list exchanges, which include
only customers names and addresses, and then only with high-
quality companies that share our commitment to product quality,
customer service and value, and could, therefore, offer products and
services attractive to Lands End customers. And regardless of the
medium by which we interact with the customerthe Internet,
phones, or mailcustomers may at any time request that their in-
formation not be shared with others, or that they be removed from
our files altogether. And that is a request that will be honored.
Guaranteed. Period.
So in answer to the question posed by this hearingIs the Cus-
tomers Privacy Protected?the good news is that currently avail-
able information is used responsibly, consistent with the expecta-
tions of consumers, and in furtherance of everyones interest, the
consumers, as well as the companies that serve them.
Again, thank you for this opportunity to speak this morning, and
I welcome your comments and questions.
25
[The prepared statement of David A. Johnson follows:]

PREPARED STATEMENT OF DAVID A. JOHNSON, VICE PRESIDENT, DIRECT MARKETING,
LANDS END, INC. ON BEHALF OF THE NATIONAL RETAIL FEDERATION
Mr. Chairman and Members of the Subcommittee: I am very pleased to appear
before you today on behalf of the National Retail Federation, and thank you for the
invitation to speak on this subject. My name is David Johnson, and I am Vice Presi-
dent of Direct Marketing for Lands End, Inc., in Dodgeville, Wisconsin. Lands End
employs approximately 7,600 people in the U.S. and abroad. We are a global direct
merchant of classically-inspired clothing for men, women and children, soft luggage
and products for the home, sold through regular mailings of our catalogs, our Web
sitelandsend.comand a number of retail outlets. Last year, Lands Ends reve-
nues exceeded $ 1.4 billion, and we mailed packages to approximately 6.7 million
customers.
The National Retail Federation (NRF) is the worlds largest retail trade associa-
tion with membership that comprises all retail formats and channels of distribution
including department, specialty, discount, catalog, Internet and independent stores.
NRF members represent an industry that encompasses more than 1.4 million U.S.
retail establishments, employs more than 20 million peopleabout 1 in 5 American
workersand registered 2000 sales of $3.1 trillion. NRFs international members
operate stores in more than 50 nations. In its role as the retail industrys umbrella
group, NRF also represents 32 national and 50 state associations in the U.S. as well
as 36 international associations representing retailers abroad.
Although we are now an international merchant, many of the things that today
set Lands End apart are those same values on which our founder, Gary Comer,
built the business he founded in 1963. Indeed, one of the principles that continues
to guide our business states: We believe that what is best for our customer is best
for all of us. Everyone here understands that concept. Our sales and service people
are trained to know our products, and to be friendly and helpful.
Through this dedication to the customer, Lands End has been able to separate
itself from the pack in customer service. Indeed, in the book Customer Service,1 au-
thor Fred Wiersema lauds Lands End (along with five other companies) for its abil-
ity to service the customer above and beyond the call of duty.
When people are asked to define good customer service, they commonly say that
it involves dealing with consumers honestly and fairly, a view that no one can seri-
ously dispute. Many others also view a component of good customer service as treat-
ing everyone equally. Let me suggest, however, that equal treatment is not good
customer service. Rather, great customer service recognizes the very unique wants
of each individual consumer and strives to meet those needs. Thus, great customer
service does not view every customer as a nameless, faceless person without indi-
vidual preferencessomeone that in the absence of any other information needs to
be treated just like the next person. Instead, great customer service uses all avail-
able information to assess each individuals particular tastes, and then deliver goods
and services that meet those desires. In short, rather than treating all customers
equally, great customer service is built on the premise of treating different customers
differently.
Access to information is critical to our ability to deliver this level of service. Infor-
mation is used to identify and satisfy customer needs. Lands End does not auto-
matically know which products and services consumers want. Information beyond
a persons name and address allows us to tailor our interaction with the customer
to make it more effective and more satisfying for the consumer. As Mr. Wiersema
states in his book Customer Service, two of the most key components underlying the
ability to provide exceptional customer service are (1) the employment of up-to-date
information technology, and (2) the personal, one-to-one relationship built with
every customer.
Although they conduct their business in completely different areas of industry,
these organizations actually have many things in common with regard to how
they function:
* * *
They employ the latest information technology at each level of their business.
This shouldnt be surprising: Information technology lends itself to strong cus-
tomer service, and early on, these companies all recognized the advantages, the
instant gratification, that the Internet and other technological advances could
1 Customer Service by Fred Wiersema (Harper-Collins Publishers, Inc. 1998).
26
offer them. Rather than trying to dazzle the customer with the latest bells and
whistles, they use technology to make their products and services easier to ac-
quire and operateas well as more efficient.
* * *
. . . [T]hey use that technology to gain a profound understanding of what these
customers want and need. The notion of building profiles on every customer
they interact with is important to them. If Customer A likes something different
from Customer B, these companies want to know that ahead of time . . .
* * *
These companies build personal relationships with their customers. They are
not mass-production factories when it comes to connecting with their constitu-
ents. Each customer who deals with these organizations is given premium treat-
ment and made to feel he or she is valued as an individual, able to call a service
representative time and again . . .
This degree of one-to-one attention requires a commitment to training, to coach-
ing, and to teaching associates the best listening strategies and most efficient
methods for giving and receiving input. It takes computer technology, as well
as dedicated personnel willing to record each customer interaction onto data-
bases so that it can be activated later and used as a learning tool for fellow
workers. 2
In testimony before Congress in July 1999, Federal Reserve Board Governor Ed-
ward Gramlich stated: Information about individuals needs and preferences is the
cornerstone of any system that allocates goods and services within an economy. The
more such information is available, he continued, the more accurately and effi-
ciently will the economy meet those needs and preferences. What Governor
Gramlich was talking about on a macro level, I can guarantee Lands End is striving
to do on a micro level.While many of our customers love the technology and the
wealth of information that is available over the Internet, many other customers
want the direct interaction that they can get over the phone from one of our highly
trained customer sales representatives. We are agnostic as to how we interact with
the customerwhether it be through the Internet, the phone, mail or one of our out-
let storesbut we do need to know their preferences in order to build the infrastruc-
ture necessary to effectively communicate with them via their preferred medium.
We also need to know our customers preferences with respect to the products and
services availableeither now or in the futureto our customers. While some would
prefer to learn about the entire array of Lands End product offerings, others inter-
ests are more limited and they would prefer to only receive catalogs from a certain
selection of our assortment of apparel and home goods. This type of information edu-
cates us not only on what we should be communicating to our customers today, but
also provides Lands End with information on every detailincluding assortment,
color, fit, level of quality, and pricethat we should provide in future products and
services.
The information required to provide these tailored interactions with our cus-
tomers comes from a wide variety of sources. One obvious source is the customer
himself or herself in the form of preference surveys. It is possible to extensively sur-
vey customers to determine their individual preferences, but such data is not only
expensive to acquire, its acquisition runs contrary to the customer service commit-
ment of an organization such as Lands End. Frankly, it is a bother for a customer
to complete questionnaires telling businesses what they expect in products and serv-
ices. Because of these limitations, such direct information is oftentimes unavailable
and somewhat unreliable. For that reason, we look to customer purchase history
and other acquired information in order to more reliably assess our customers
needs and wants. By assessing information on purchases that consumers actually
make and services they actually use, consumers are offered products and services
that respond to their demonstrated needs and desires. This greatly reduces the cost
of developing those products and services and the risk that they will be out of line
with consumer demandthereby reducing the price that consumers pay for them
and mitigating the inconvenience and delay associated with stopping consumers to
ask about likely preferences.
Admittedly, we often hear complaints about customers receiving mailings that
they dont want. But Lands Endand I strongly suspect every other direct mer-
chanthas no interest in sending catalogs or other information to customers who
2 Customer Service at xiv-xviii.
27
have no desire to receive it. Frankly, that is a waste of our time and money, and
frustrating to the consumer as well. Thus, we use all information available to us
to assess the likelihood that any catalog we send out will be welcome in the cus-
tomers home. To the extent that cataloguers send mailings to people who are not
interested in the offering, I suggest that the problem is not one of too much informa-
tion sharing but rather too little reliable information, forcing businesses to employ
mass marketing techniques instead of more targeted efforts to a more appropriate
and appreciative audience.
Moreover, the ability to collect and assess individual purchasing activity gives
Lands End the ability and comfort to provide enhanced services to customers that
we might not otherwise. As an example, Lands End sells its products with a guar-
antee that is second to none. Under our Guaranteed. Period. policy, any customer
can return any product at any time for any reason. A guarantee this sweeping is,
by its nature, subject to abuse, and by offering it Lands End has placed unprece-
dented faith in its customers that they will not exploit the return policy. But Lands
Ends comfort in offering our Guaranteed. Period. policy is enhanced by the avail-
ability of individualized purchasing and return data that allows us to track and
check abuses. In short, this information assures that the few that might exploit the
guarantee dont ruin it for the overwhelming majority of our customers that are fair
and reasonable in their returns.
Likewise, the availability of certain products and services by their natureand
particularly so of many of the services available over the Internetall but require
that some information be shared among companies. As examples, Lands End offers
online models which a customer can use to virtually try on clothes, and a per-
sonal shopper that, applying conjoint analysis techniques, offers purchasing rec-
ommendations to online shoppers much as a sales clerk would do in a retail store.
For these types of services to become accepted and useful to the consumer, they
must also become standardized throughout industry with the individualized models
and preferences portable from site to site. This type of information sharing will ulti-
mately enhance the breadth of products and services available to the consumer.
And consistent with the trust and loyalty that our customers have shown us,
Lands End is also quite responsible the information we share with others. Indeed,
the only data we currently provide to others are one-time-use list exchanges, which
include only customers names and addresses, and then only with high quality com-
panies that share Lands Ends commitment to product quality, customer service
and value and could, therefore, offer products and services attractive to Lands End
customers. And regardless the medium by which we interact with our customer
the Internet, phones or mailcustomers may at any time request that their infor-
mation not be shared with others, or that they be removed from our files altogether,
and that request will be honored.
So in answer to the question posed by this hearingIs the Customers Privacy
Protected?the good news is that currently available information is principally
shared responsibly, consistent with the expectations of consumers and in further-
ance of everyones intereststhe consumers as well as the companies that serve
them.
Again, thank you for this opportunity to speak before this Subcommittee, and I
welcome your questions and comments.
Mr. STEARNS. I thank the panel. Let me start by asking some of
the basic questions I think all consumers are concerned about. And
this sort of touches into what Mr. Hourigan had talked aboutthat
they build a substantial data base with information on GM vehicle
owners, and that GM uses this to facilitate after-market sales, re-
pairs, next vehicle purchase, and to cross-market the broad range
of GM products and services. Is this a singular data base?
Ms. HOURIGAN. It is not a singular data base. We have separate
data bases. The data base that I mentioned is primarily used for
market segmentation, and in our product development phase.
Mr. STEARNS. Give me, for example, examples of the type of in-
formation that is contained in this data base. Other than the ones
I mentioned, is it pretty much just the name of the owner, the pur-
chase? Are there preferences and things that are in this data base?
Ms. HOURIGAN. It actually is, if I can mention one thing, our di-
visions have operated on a tremendously autonomous basis for
28
many years. And we just recently have elected to streamline many

of our processes and practices. Data handling is one such practice.
And so what we have attempted to do is, again, move toward a
process by which all divisions will operate under the same policies
and practices. The information that is contained in that data base
is vehicle name and type of vehicle. We will augment that with in-
formation we obtain from the aggregators, but again, it is only for
the purpose of market segmentation.
Mr. STEARNS. How do you protect that information? For example,
within the company, and also protect it when you deal with sub-
contractors, or other organizations that you deal with?
Ms. HOURIGAN. Well, we obviously use the highest standards of
security to protect the information. We also use managerial secu-
rity techniques, along with physical security measures.
In terms of working with our suppliers, we obviously only deal
with credible suppliers to process the transactions on behalf of our
customers. We also have contractually limited how our suppliers
can use that information for any subsequent purposes.
Mr. STEARNS. Mr. Misener has talked about not having legisla-
tion, but if we have legislation, he would say it should be three
items: pre-emptive rights, of course, so that if States start to de-
velop it, that there would be Federal legislation to pre-empt the
States, so you wouldnt have to comply with 50 States; what would
apply to online would also apply to off-line; and then he talked
about private rights of action.
And just for the benefit, the private rights of action, we, of
course, on this committee would not all agree with this, but basi-
cally this would prevent class actions suits as I understand it
against you individuals, based upon something that perhaps you
compromised privacy, and then this would turn out to be, among
thousands of people who would come together with a class-action
suit.
Now, he mentioned those three that he would like to see, if there
is Federal legislation. Are there any other ones? And I will just go
from my left to my right and ask each of you if there are any be-
sides those three? And if you disagree with Mr. Misener, that you
dont think they should be part of this, now is the time to tell us.
Ms. PEARSON. I would agree with those three features being re-
flected that way in possible legislation. I would just go back to the
point of, as your committee has begun a process of deliberation and
understanding how information flows in our economy, and how con-
sumers can be affected by that information, is to start with a more
fundamental question: where is the issue that needs to be ad-
dressed? Once we understand what companies do with information,
what government does with information, and then go from there.
I think if there is legislation affecting commercial practices, there
ought to be some level of understanding of why commercial prac-
tices versus other kinds of uses of information. So there ought to
be that.
Mr. STEARNS. I could give you a list of what I think the consumer
wants. But I am just asking you now, just, because I dont have a
lot of time, just quickly to go through and say, Yes, I think those
three are the basic
Ms. PEARSON. Yes, I think those three features are basic.
29
Mr. STEARNS. Basic for Federal legislation?

Ms. PEARSON. Yes.
Mr. STEARNS. Is there anything you would add to it?
Ms. PEARSON. I think there ought to be technology neutrality, so
that you dont get into specific requirements about this technology
or that technology being used, so that you accommodate flexible
changes. The world is changing extremely rapidly, and we need to
have that ability to innovate. There ought to be, I think, some basic
guidelines so that you encourage transparency in information prac-
tices without requiring specific content for notices or specific prac-
tices. Those are two.
Mr. STEARNS. Okay.
Ms. HOURIGAN. I would just second what Harriet said, tech-
nology-neutral, in addition to what Mr. Misener mentioned earlier.
Mr. STEARNS. Okay. Mr. Swift?
Mr. SWIFT. The one addition that we would have is that the leg-
islation would recognize the role of industry self-regulation, and
possibly the role of TrustMark programs in the self-regulatory proc-
ess.
Mr. STEARNS. What does that last part mean?
Mr. SWIFT. A BBBOnLine or Trustee, a program that validates
and sets criteria for appropriate practices.
Mr. STEARNS. Best business practices?
Mr. SWIFT. Correct.
Mr. STEARNS. Okay. Mr. Misener?
Mr. MISENER. I thought Mr. Miseners list was pretty good.
Mr. STEARNS. I thought so, yeah.
Mr. Johnson?
Mr. JOHNSON. We believe that any legislation should move incre-
mentally, and allow us to really understand the impact that it ulti-
mately has in helping us to serve our customers.
Mr. STEARNS. Okay, my time has expired, and we are eager to
hear other members. But I think, just briefly in the 5 minutes I
have had, you have outlined what, if any, Federal legislation
should include. And I think that is the purpose, to get from you
your heartfelt opinion of what we should do. And we have come up
with 1, 2, 3, 4, 5, 6, 7 components of this Federal legislation.
I am very pleased to welcome the ranking member, the gen-
tleman from New York, Mr. Towns.
Mr. TOWNS. Thank you very much, Mr. Chairman. Let me say
that I am happy that you are having this hearing. I think it is so
important that we listen to people before we move forward on legis-
lation.
I would like to know, I guess, Mr. Misener, what do you deem
as an appropriate penalty for those companies who abuse consumer
privacy, by breaking their own privacy laws? What would you con-
sider an adequate penalty?
Mr. MISENER. An adequate penalty? Well, certainly it would de-
pend upon a lot of factors going into the abuse. If it is repetitive,
if it is willful, intentional, deliberateall those sorts of things
then I would think that the penalty could be greater. But those are
the sorts of issues that, for example, the Federal Trade Commis-
sion could take into account.
30
If a privacy policy is announced by a company, and then not fol-

lowed by that same company, the Federal Trade Commission,
under its powers in Section 5 of the Federal Trade Commission Act,
could go after that company and apply a variety of remedies, in-
cluding injunction and fines.
Mr. TOWNS. Let me ask you, if I buy ten books through your com-
pany, are those records available to data collectors? In other words,
do you sell the products that I purchase through Amazon.com to
data collectors?
Mr. MISENER. Yes, that is an excellent question, Mr. Towns. Ab-
solutely not. Amazon.com is emphatically not in the business of
selling customer information. We do not transfer that information
to unaffiliated third parties at all. And for the few affiliated third
parties, we transfer it only with opt-in consent from our customers.
Mr. TOWNS. On that note, Mr. Chairman, I yield back.
Mr. STEARNS. Okay. I thank the gentleman. We have the distin-
guished chairman of the full committee, the gentleman from Lou-
isiana, Mr. Tauzin.
Chairman TAUZIN. I thank you, Mr. Chairman. Again, thank you
for this series of hearings, because I think they are better pre-
paring this committee, and hopefully the Congress, for whatever
privacy decisions we need to make, either generally or, as some of
you point out, incrementally.
Let me first say that one of the concerns I have as we explore
all the edges of this privacy debate, is that we very carefully re-
member that we ought to avoid solutions simply looking for prob-
lems. It is easy to do in this area. It is easy to begin imagining how
data could be misused and how people might do something with
data, and then make a great deal of complex Federal laws and so-
lutions designed to fit imagined problems. And what you are doing,
Mr. Chairman, is actually focusing on the real world, the reality of
how data is exchanged, and how the industry is really working for
its own customers sake and its own business self-interest, in build-
ing self-regulatory regimes and regulating itself. And that is an im-
portant part of this process, I think, understanding where the real
problems are, not the imagined ones.
In that regard, in the very short time we each have, I want to
do just one thing with this very important panel. I would like each
of you to answer this question in order, and I will be very satisfied
with my 5 minutes. It is a very basic question, and it is a question
that goes to what is probably the most important decision we first
make on privacy. And that is whether to make privacy policy Inter-
net-specific or not.
Now, you all operate your businesses in different ways, online
and off-line. Some of you are strictly online. But the question I
have is that, recognizing that if we made privacy policy that was
Internet-specificwhich could, theoretically, prejudice commerce
against online activities in favor of off-line activitiesrecognizing
that, is there a good reason to make privacy policy special and dif-
ferent and unique for the Internet world, the online world, as op-
posed to making it consistent for all activities, whether it is online
or off-line?
If each of you will comment on that in a row, I would deeply ap-
preciate it.
31
Ms. PEARSON. I get to start. From IBMs point of view, it is the

same data base or set of data bases, in back of that curtain, that
receive the information, no matter where it comes from. So our
view has been that if we are going to be deliberative about this,
we ought to realize that. And therefore, particularly since the
Internet is so new as a mechanism for communicating, that we
ought to think about all the media equallythat there shouldnt be
a disadvantaging of the Internet over other media. That is a start-
ing point for discussion.
Chairman TAUZIN. Okay. As you go down, I wantif any of you
have a good reason to believe that the Internet is so different that
it needs special rules, if you dont mind commenting on that.
Please?
Ms. HOURIGAN. Sure. I thinkwe actually had this exact debate
in our company, as to whether it was appropriate to apply a dif-
ferent set of standards to the Internet. And we came to the conclu-
sion that it did not.
However, I think to the extent that there may be specific abuses
that may occur in the online world that would not exist in the off-
line world, then it may be appropriate to treat those particular in-
stances differently. But for General Motors, we still collect a tre-
mendous amount of information off-line, and so to apply different
standards would be challenging. And, you know, it is complex
enough as it is, I guess. So, thank you.
Chairman TAUZIN. Thank you.
Mr. SMITH. Let me answer by just talking about how we are look-
ing at this within P&G. Our dream is that we would be able to
bring together information that we have about a single consumer,
regardless of how that information was collectedthrough con-
sumer relations contact, a web site, whatever. And the reason is
that when the consumer calls the next time, or when we make an
offer, we would like to reflect everything we know about that con-
sumer. And when we recognized that, we said, we need to apply
the same information practices to all the data, because it is going
to end up in the same place.
So, you know, we would obviously believe that looking at that in-
formation, regardless of its source, regardless of where it is stored,
being treated in the same way.
Mr. MISENER. Mr. Tauzin, we strongly believe at Amazon.com
that any new legislation ought to apply both to the online and the
off-line worlds. There are a couple of reasons. One is the funda-
mental fairness that you mentioned to online companies who would
be potentially burdened by a new regulation that would not apply
to our off-line competitors.
But more fundamentally, it is a consumer issue. Consumers
spent, in the retail world, 99-plus percent of their dollars in the off-
line world. Less than 1 percent of the retail transactions were
made online. And so an online-only law is going to do very, very
little for consumers more broadly.
Moreover, the consumers that it would help, that it would effect,
would be only those on the fortunate side of the digital divide. If
you dont have the education or money to be shopping online, that
privilege, you would get no benefits from an online-only law.
32
Mr. JOHNSON. Mr. Tauzin, we believe that there is not a reason

to make it Internet-specific per se. Our customers shop with us via
the phone, via the Internet. Many of our customers interact with
us through numerous different ways.
One position that we do take, however, is that there is a need
to be sure that we really understand the implications that it may
have on companies like us that are a multi-channel business, and
the implications in the long run that it may have for the consumer
in ultimately providing the high level of customer services that our
consumers expect.
Chairman TAUZIN. There you go, Mr. Chairman. I have found
you unanimous consensus.
My work is done. Thank you very much.
Mr. STEARNS. I thank the chairman. Mr. John? Oh, no, he is not
here. Mr. Doyle?
Mr. DOYLE. Thank you, Mr. Chairman. Boy, I sure hate to rain
on the parade here. And I think this has been a good discussion,
and a helpful one. But let us all remember here, too, that sitting
before us are representatives of Fortune 100 companies, and I
think that in an ongoing basis we also need to hear from con-
sumers and from small businesses, because I think they face some
different problems complying with and adhering to privacy policies
than some of these companies here, who have vastly greater re-
sources. And that needs to be kept in mind.
Mr. Misener, at Amazon.com you sell videos, right?
Mr. MISENER. Yes, sir.
Mr. DOYLE. We have a Federal law that if I walk into Block-
buster and buy a video, they are not allowed to keep a record of
what kind of videos I am buying. Now, obviously that law doesnt
apply to Amazon.com online, because you keep records of what
kind of videos your customers buy?
Mr. MISENER. We keep those records in the ordinary course of
our business, which is a specific exclusion in that law.
Mr. DOYLE. Yes, exactly. So in that respect, your online service
is treated somewhat differently than an off-line service.
Mr. MISENER. Well, if off-line services were using those records
in the ordinary course of their business like we do, they also could
keep those records.
Mr. DOYLE. But Blockbuster could never disclose or keep records
of anybodys purchases, I am saying. You could share that informa-
tion, could you not?
Mr. MISENER. Let me be clear on a couple things.
Mr. DOYLE. Sure.
Mr. MISENER. First of all, we would be delighted to be in the For-
tune 100. We would actually be delighted to be in the Fortune 500.
Tune in this time next year. But we are fully compliant with that
video restriction law that you mentioned, because we do use those
in the ordinary course of business. We do not revealrepeat, do
not revealthat information to third parties at all.
Mr. DOYLE. But you do that voluntarily, is what I am saying.
There is no law requiring you to do that. You do that as a matter
of policy.
Mr. MISENER. I think it could be argued that that law applies to
us. But we are responding to what our customers demand. If we
33
did that, we would lose customers, and therefore, because our cus-
tomers want it, and because we are pro-privacy, we do it. And so
therefore, the market forces are forcing us to do this. Just like
keeping our prices low and providing a high level of convenience,
we are providing a level of privacy protection that consumers de-
mand.
Mr. DOYLE. Yes. And I guess the point I am trying toand it is
certainly not an attack against Amazon.combut we have all kinds
of vendors and entities out there that all have varying degrees of
privacy policies, and do things that they are not really required to
do. You do it because it is good for your customers. And that is
what we are hoping for, that there isnt going to be a need for
heavy regulation because the industry understands that that is the
way to go.
But I can tell you that most consumers dont have a clue how
data is being collected on them. They dont understand what a
cookie is; they dont know, when they are surfing the web, what is
happening to them. Trust me, they dont.
And I guess it doesnt bother me so much in the retail end. I
mean, I go to Giant Eagle and I have got my little Advantage Card,
and you know, I swipe that across the deal and I get some dis-
counts for doing it. But it also allows that supermarket to track
what I am buying, and make sure that the stuff I want is there.
I think it is helpful that we dont get junk mail, if people know
what our preferences are. So I see tremendous benefits from it.
But I also see the tremendous potential for abuse, especially in
things like medical records and issues of personal behavior, where
consumers have the right to expect that those types of information
arent being shared with anyone, and that when you are dealing
with vendorsI know you say some of your vendors have the same
privacy policies that you do. I just dont understand what the en-
forcement mechanisms are. How do you know they are not vio-
lating their own policy?
So I guess, you know, we struggle with these things. And it is
politically unpopular to want to do anything against the Internet,
because it is such a sexy new thing, and you know, everybody
wants to be seen as high-tech up here on this panel. But I think
there are some real concerns, and we appreciate your input at
these hearings. And I think we have a long way to go, Mr. Chair-
man, to hear from many different groups, so that when we do fash-
ion legislation we do it thoughtfully.
But I appreciate your testimony today.
Mr. STEARNS. I thank the gentleman. The gentleman from Illi-
nois, Mr. Shimkus?
Mr. SHIMKUS. Thank you, Mr. Chairman. And I am glad my col-
league Diana DeGette here, because I used her phrase, since you
mentioned it, in hearings earlier this year about individuals
not
Ms. DEGETTE. See that you get it right.
Mr. SHIMKUS. Yes, she is concerned that I am using some of her
quotations. But how much individualswe dont understand the
benefit we have from some information sharing. And although we
want to find out the benefits to you from having good, strict poli-
cies.
34
And I was just interested here in how much you actually are
using the information in product-specifics at P&G, personalized
beauty care products to individuals, and the information and the
like.
I want to boil it down a little simpler, in the debates that we use
here and the terminology that we use here in legislating in this
arena, and get a few comments. And I want to address questions
on this opt-in/opt-out aspect, because in some aspects, when people
order from Amazon.comwhich we have doneit is almost implied
that you are opting in, because you are providing the information
that they have to send you the product. And then there may be
some other boxes to put. And I am not sure if it is a total require-
ment to fill in all the boxes before you get an order processed
versus an opt-out provision which would say, I want to buy your
product. But I dont want you to get any more information on me.
All I want to do is purchase your product, and opt outdo not use
this for anything else.
We also use here in Washington-speak the telephone directory as
an opt-out system that works. We wouldnt have a telephone direc-
tory that worked if everyone had to call in and say, yes, I really
want my phone number listed in a directory. But we do know that
if you call, you will get an unlisted number. For a price, as Im
being corrected. But that is a price that some people are willing to
pay.
So I would like to have your comments on how the whole debate
on opt-in/opt-out affects you individually as you do this planning,
and how you are going to respond to whatever it is that we end
up doing. And I would do it the same wayactually, yes, lets just
go the way the chairman did at the table. And if you dont want
to add, then you can just pass.
Ms. PEARSON. Opt-in versus opt-out, from a business perspective
it boils down to choice, and what is the right amount of choice to
provide the consumer when you are dealing with a consumer? And
that is really, if you are a customer-centric business, is what is the
expectation of that consumer, and what is going to result in a bet-
ter environment, a more trusted relationship? Because I want to
continue my relationship with that consumer. And so sometimes
you market and you use opt-in.
Particularly for us, in e-mail solicitations, we will only send out
e-mails if somebody has opted in or we have a prior existing busi-
ness relationship, where there is no surprise when you are going
to get that e-mail.
Sometimes it make a lot of sense to do opt-out, because all we
are going to do is, if you are not going to check here, we are going
to take advantage of your not opting out and send you an addi-
tional piece of literature about that IBM Aptiva. And we want to
do that. And there is really very little harm that comes from doing
that.
So sometimes it is opt-in, sometimes it is opt-out. And then the
debate becomes, should there be a national requirement as to one
certain level? And should you impose that on every kind of busi-
ness decisionmaking, or how you interact with the consumer? That
is the real question.
35
Ms. HOURIGAN. I would agree with Ms. Pearsons statements,

and also add: it comes down to prominence, and making sure that
you are doing it in a way that is understandable to the customer.
I thinkwearing my consumer hat for a minuteI have seen it
done, opt-in and opt-out, done in very positive ways, and in very
sort of, you know, less than satisfactory ways. So again, I think the
important concept here is choice, and prominence, and presenting
it in a conspicuous and understandable way.
Mr. SMITH. I would second the call for the fact that the promi-
nence and the clarity of the choice is more important than what the
default is. We use a system in Proctor & Gamble, and we are mov-
ing it to universality in our company. But we ask, you know, would
you like to have other offers from this brand? Would you like to
have other offers from other Proctor & Gamble brands? Would you
like to have offers from other reputable companies who are part-
ners? And so we get kind of a hierarchy of choices for our con-
sumers.
Mr. MISENER. My wife is from the North Hills, just north of
Pittsburgh. And we go up to the area frequently. And we have a
Giant-Eagle card. And I can assure you, down at the bottom of that
application formI dont recall it exactly. But I am sure that there
is a little check box that says that you can probably opt out of get-
ting solicitations based on your purchases there. Small print, down
at the bottom, didnt pay attention to at the time, probably
wouldnt care much about it.
On Amazon.coms site, when we talk about information with one
of our affiliatesfor example, ToysRUs.com for certain toys deliv-
erieswe actually have a little cartoon picture prominently dis-
played on the site, which shows Geoffrey the Giraffe, the Toys R
Us giraffe, sitting in an Amazon.com box. Now, that little picture
makes it crystal clear to our customers, without having read a long
privacy policy or read the fine print at the bottom of the page, that
Amazon.com is going to be delivering a Toys R Us product. Real
simple. That is meaningful choice, in our view.
And so yes, as I mentioned before, we provide opt-in choice for
any kind of sharing with our affiliates, and we dont share any in-
formation, period, with any non-affiliated third parties. But when
there is that choice, we want to make it meaningful choice, so that
customers and consumers actually understand what is going on.
Frankly, Geoffrey sitting in the box makes a lot more sense to con-
sumers than small type at the bottom of a form.
Mr. JOHNSON. There is not a whole lot I can add to what has al-
ready been said. With respect to our business, our business is very
different from Amazons in that we are a well established direct
merchant. The opt-in aspects of communication via the Internet is
only relatively new to us in the history of our business.
It would be fair to say that in transacting our business, to an
earlier point raised, there is a certain amount of information that
is required. But with respect to opt-in versus opt-out, depending on
online or off-line aspects of our business, we comply with what we
believe to be the expectations of our customers. So with respect to
our Internet business, our communications via e-mail, it is very
clearly opt-in. On the catalogue mailing side of our business, we
certainly give our customers choice there as well, making sure that
36
they know that if they want to limit that sharing of their name and
address with like-minded companies, that that option is available
to them.
Mr. SHIMKUS. Thank you very much. I yield back.
Mr. STEARNS. The gentlemans time has expired. The gentlelady
from California, Ms. Harman?
Ms. HARMAN. Thank you, Mr. Chairman. I have an opening
statement which I would like to submit for the record.
Mr. STEARNS. By unanimous consent, so ordered.
Ms. HARMAN. And I would mention that in it, I attach an inter-
esting op-ed that appeared earlier this week in the New York
Times, authored by Peter Wallison, a friend of mine who is a
former counsel to President Reagan, in which Wallison points out
the difficulties of opt-in and what it would do to the financial com-
munity. I thought it was very interesting to read that author make
that point.
At any rate, I have appreciated the testimony of the witnesses,
and would like to declare, at least for myself, that these are the
good guys. You are all good guys. And I congratulate you on being
sensitive to privacy concerns.
My question, Mr. Chairmanmaybe it is for you and the com-
mittee, more than it is for our panelis what about the bad guys?
What about the people who are not sitting here, who dont think
that privacy and protecting our privacy matters?
And interestingly, I understand that todays Industry Standard
reports a list of sites with the greatest concentrationnot absolute
numbers, but the greatest concentrationof teen users. I raise this
because I know we are all concerned with teenagers. As a mother
of two of them myself, I certainly am. But none of those people are
sitting here. Let me just read this list: Teen.com, TeenPeople.com,
Katrillion.com, SparkNotes.com, BadAssBuddyIm sure we would
love that onedot-com, Blink182.com, CoolQuiz.com, TeenMag.
com, TeenChat.com, and Seventeen.com. Some of these sound pret-
ty antiseptic. There is one word I read that I am sure we are all
going to now check out.
But at any rate, here is the Katrillionsite, just so you know.
Katrillion is reported to be an entertainment and gossip portal.
Here is what it says on the site: By using this site, you agree to
the terms and conditions outlined below. If you do not agree to
these terms and conditions, please do not use this site.
Okay, good.
We reserve the right to change, modify, add, or remove portions
of these terms at any time, whenever we want. If you continue to
use the site after we have posted changes to the terms, it means
you have accepted those terms.
Now, if you are 16 or 17, you wont even read this. But if you
read this, and then you logged on to the siteat least the way I
understand this, and I realize my mind is not as agile as my chil-
drensthe way I understand this, they can do whatever they
want.
So I would at least postulate that Katrillion would not be a good
guy in the way that you are, because I dont think that is what you
would do.
37
I want to ask the panel, Mr. Chairman, I really have only one
question, what do you have to say about this kind of information?
Your kids, presumably, or your nieces and nephews, or your broth-
ers and sisters, or teenagers that you know, are logging on to these
sites much more than they are having anything to do with you.
And what advice do you have for us about this kind of stuff?
Ms. PEARSON. I have a 9-year-old daughter who, when she is old
enough to go on the web by herselfwhich is when she is going
to be 18
Ms. HARMAN. Good luck.
Ms. PEARSON. I would beyes, youre right. I am very concerned
about that, as a mother. And there are not only privacy issues
raised in what you said, Ms. Harman. There are many other issues
raised. It is absolutely critical that we educate our children, par-
ticularly those who are old enough to be on their own on the web,
about what to look for. There is absolutely no reason that a teen-
ager should not be looking for some sort of privacy policy or seal,
or other kind of indicator of what is good for them.
But we all know that they are going to go wherever they
shouldnt go anyway. Those sites, no matter what they say, are still
bound by laws. And they still should be bound by industry prac-
tices, so that if they are not doing what they say they are doing,
they ought to be prosecuted, and there should be enforcement. If
they are doing something misleading, collecting information and
abusing that information to hurt a child, they should be prosecuted
to the fullest extent of the law. And there are laws that can get
you there.
If they are a bad guy and they disregard industry practices and
they disregard existing law, then they are a bad guy, period. And
I am afraid that a law or industry practice, whatever that is, is still
going to lead to having some bad guys out there. So for us, it fun-
damentally becomes an issue of education. Educating our kids, and
making sure parents are involved with the children.
Ms. HARMAN. Other comments?
Ms. HOURIGAN. I would just add, with respect to that site, and
actually just general commercial web sites, with respect to privacy
and consumers, education is absolutely key. Technology is chal-
lenging; you know, I have to read new articles on a daily basis to
keep up. And so making education part of any comprehensive pri-
vacy solution is appropriate.
I would also say, with respect to the bad guys, you lose cus-
tomers if you dont treat them well. From a large companys per-
spective, if we lose a customer, it is hard for us to get them back.
And so that really drives us to say, hey, this is incredibly impor-
tant, and we need to respect our customers and respect their pref-
erences.
Mr. SMITH. I think empowering consumers to make decisions is
important. And that probably means parents need to step up to the
responsibility of training their kids. Some interesting data: 82 per-
cent of people on the web have seen privacy statements. That is
going up. Sixty-seven percent say they sometimes or always read
them. I suspect that that is an overstatement, to a degree. But you
know, they are aware of them. Fifty-six percent of people say that
privacy statements are important. And the great thing about the
38
web is that you are always one click away fromyou know, if you
make the consumer mad, boom, hit the Back button, and you are
absolutely out of there.
So I think the issue is how do we enable people to understand
privacy policies and make choices?
Ms. HARMAN. Well, my time is up, Mr. Chairman. Any other
comments?
Mr. STEARNS. Sure.
Ms. HARMAN. I thank you. I just want to state for the record that
I am quite dubious about whether Federal legislation will work
here, with the exception of some bright lines around medical and
financial privacy, personal privacy. I think the rest of it might bet-
ter be handled by responsible actors in the industry. But having
said that, there are irresponsible actors. And particularly when
they interact with teenagers, whomI would volunteer, as one par-
ent who attempts to be responsiblewho are difficult to fathom.
I think we are at risk, and I dont know what the answer is. And
it sounds good to say we should all make good choices. Yes. I agree.
Mr. Chairman, I think you should make good choices, and I hope
you have a better ability than I do to understand what is in your
kids head, and to guide them perfectly.
But I think, as a society, we are at risk here. And I dont know
whether we are yet finding the best tools to help overworked par-
ents deal with kids. And I would welcome some enlightenment
here. And I hope that all of you, in your role as parents, keep
thinking about this, because we certainly have a lot of work to do.
Thank you, Mr. Chairman.
Mr. STEARNS. I thank the gentlelady. The gentleman from New
Hampshire, Mr. Bass?
Mr. BASS. Thank you, Mr. Chairman. Two or three observations
about what I have heard in the last hour or so. First of all, only
an absolute dyed-in-the-wool retail salesperson could characterize
an unsolicited e-mail offer or advertisement as a benefit. It is the
computer equivalent to seeing somebody drive up your driveway in
a car full of clothes or something in the back and saying, Oh, boy,
this is just what I have been waiting for all morning long! I am
not sure how popular that really is.
Second, I myself, and my wife, buy products online, and from
nothing but very reputable firms. And yet I receive on average 4
or 5 solicitations on my e-mail address to consolidate my loans, to
travel to faraway places, to make money fast. All you have to do
is click this button and youre rich. And I dont know how it ever
got there, and I think that is part ofby illustration at leastwhat
we are facing here today. I am notthese are companies like
yours.
The third observation I have is that we really areI as a con-
sumer, am presumably at least moderately knowledgeablereally
dont know what to look for. You mentioned, Ms. Pearson, that we
need to educate our children about what to look for. Well, if we
dont know what to look for, then it is hard to educate anybody
else.
My question for you folks, if you wish to answeryou can or
notis, you have high standards. I think, Mr. Misener, you men-
39
tioned that you sell your list to other people that have the same
standards that you have.
Mr. MISENER. I did not say that.
Mr. BASS. Oh, somebody else did.
Mr. MISENER. We absolutely do not sell our list.
Mr. BASS. Okay, Lands End, Mr. Johnson did. To use the anal-
ogy of whispering in a circle, after a while the message may begin
to get indistinct. What happens to the lists that you sell to them,
and then they sell, and so forth and so on? I guess you said your
clients have the same standards that you do. That is a requirement
internally, is that correct?
Mr. JOHNSON. That is correct.
Mr. BASS. And is there any way that that information can be
abused by your clients?
Mr. JOHNSON. We take a number of measures to protect against
that. As I stated in my testimony, it is for one-time usage only, and
that is by a contractual agreement. We also, in managing that
process, we plant what we call our decoys. I myself am a decoy on
that list. So we track usage by those companies, and we track it
very closely, so that we can ensure that it is a one-time usage, and
that the usage of it is as was stated in the original agreement.
Mr. BASS. And you are adequately protected should there be
abuse? You could seek civil action of some sort?
Mr. JOHNSON. Absolutely. Yes.
Mr. BASS. All right. Lets see. Does your commitment to con-
sumer privacy extend to sites that might link to or from your sites?
In other words, there might be people that are linking. Can you
control the ability for other sites to link to your site, or vice versa?
Does that make sense, or not?
Mr. SMITH. The answer is you really cant control who can link
to your site. On our sites, if you are moving out of a Proctor &
Gamble site somewhere else that we have linked, there is a notifi-
cation that you are leaving the Proctor & Gamble area, and that
different policies may pertain.
Mr. BASS. Okay. I have no further questions, Mr. Chairman.
Ms. PEARSON. Can I make one point on education?
Mr. BASS. Sure.
Ms. PEARSON. Mr. Bass, you mentioned that it would be great to
know what to look for. And I just want to come back to that and
say that this education, this need for further education, is a bipar-
tisan, it is an industry-governmentwe all need to work together
on education.
And I would commend the Federal Trade Commission for pro-
viding a certain level of education. I would say FTC.gov and the
material there is what every consumer ought to take a look at. I
think any number of our companies has been involved in this kind
of effort. Trustee.org, BBBOnLine.org, and a few other organiza-
tions such as UnderstandingPrivacy.org, the web site for the Pri-
vacy Leadership Initiative, all have information about what a con-
sumer could look for. And any kind of assistance you can provide
in this committee to highlight the availability of those materials,
or to suggest further activities, or to encourage the Federal Trade
40
Commission to encourage that kind of activity, I think would be ap-

preciated and welcome by the American public.
Mr. STEARNS. I thank the gentleman. The gentlelady from Colo-
rado, Ms. DeGette?
Ms. DEGETTE. Thank you, Mr. Chairman. I would like to add my
thanks for having this series of hearings, and also to announce that
at the conclusion we are going to pull my original comment I made
at the first hearing, and whoever paraphrased it the most closely
is going to win a prize.
Mr. STEARNS. Skiing in Aspen.
Ms. DEGETTE. Skiing in Aspen? Yeah, okay, Ill work on that.
I want to go back to something Ms. Harman talked about and
others touched on. And Ms. Pearson, you were just talking about
it briefly, which is, how do we educate consumers? Because I hear
everybody up here talking. I hear Ms. Hourigan talk about what
they do internally to help identify consumer preferences, and to
help their customers, and so on. And I hear others talking about
what happens online.
And I guess my questionI think we all know consumers are
really not educated at all as to what is going on with their personal
information. Some of it, we might agree with the uses, some we
may not. But consumers dont knowdespite disclaimers, despite
privacy policies on web sites, despite some kind of education effort.
So my question to you is, do you think industry has any obligation
to find some way, jointly or separately, to increase consumer edu-
cation, and what would that be? Beyond what we are doing now,
because what we are doing now is not educating consumers. Any-
one?
Mr. SMITH. Well, I think industry does sense the responsibility
to communicate and improve the education. A number of firms in
industry and leading trade associations about a year ago created
the Privacy Leadership Initiative. A key element of that work was
consumer education. We have developed, and will soon launch, a
web campaign with privacy tips for consumers.
Ms. DEGETTE. And how is that going to be disseminated to con-
sumers, so that they can actually know?
Mr. SMITH. As they visit web sites, a banner ad will pop up with
a privacy tip, that explains a privacy practice. You know, how to
create a good password, for example. And then have the URL to
visit the Privacy Leadership site for additional tips.
Ms. DEGETTE. And how widely is that going to be disseminated?
Mr. SMITH. I dont have specific impression estimates at the mo-
ment. But the members of the Internet Advertising Bureau have
very generously committed to run these ads on a pro bono basis.
Ms. DEGETTE. Anyone else with thoughts on that?
Ms. HOURIGAN. I would just add a couple of comments. The con-
cept that Trustee, which is one of these seal programs, recently an-
nounced regarding labeling, so you would basically develop a label
for a particular practice on a web siteI think that will go to at
least alleviating some of the burden on a customer to go through
and read a privacy statement and understand. And hopefully,
again, that will serve toit will be a little more transparent to the
customer. I think that is an interesting concept. I am not sure
what the status of that initiative is, however.
41
The other thing I would mention is the introduction of the plat-

form for privacy preferences, or P3P, which will be built into Inter-
net Explorer 6.0. What I think we hope for is this becomes almost
a transparent issue for customers, and they become familiar with
it, because it is built into their browser, they can select their pref-
erences, and basically it will be an effort for the browser to look
in course and communicate that information back to them.
Ms. DEGETTE. Well, you know, I appreciate these answers. But
as you yourself can realize, they are not very specific or broad. And
so my suggestion to the industryI know we have many represent-
atives here todaywould be you start to think about these things
on a much broader scale, especially because we are all loath to
have over-reaching government regulations, which means there is
a big responsibility for companies.
And let me follow up, because the title of this hearing is How
do Businesses Use Customer Information: Is the Customers Pri-
vacy Protected? This hearing, and your testimony, is not just
about online privacy, but privacy in general. And I am wondering
if any of you can talk about whether you think standards for pri-
vacy for data that is not online should be different than online
data. And if not, how do we deal with that? All of your answers
were related to Internet privacy.
Mr. MISENER. Ms. DeGette, thank you. As I mentioned in my tes-
timony, we strongly believe it ought to apply equally off-line as to
online, for a variety of reasons, not the least of which that so few
transactions and so few consumers actually are online.
My wife and I purchased a small $15 space heater a few months
back, and inside was a warranty registration card. In the card, in
filling it out in pencil, they wanted me to list our household in-
come, where we took our last vacation, whether or not we read the
Bible, and whether or not someone in the household has prostate
problems.
Now, I assure you this information is far, far more sensitive than
any information Amazon.com collects. It would be patently unfair
to consumersto consumersnot to address that issue, as well as
the online issue.
Ms. DEGETTE. Right. And how do we address that issue without
passing a law?
Mr. MISENER. All I am suggesting is that when we think through
whether or not the market is taking care of it, whether or not there
are real problems out there, they ought to be addressed equally on-
and off-line.
Ms. DEGETTE. Thank you.
Ms. PEARSON. Ms. DeGette, my answer, and I think a number of
the other answers, were that our practices apply online, off-line, no
matter where were getting information, throughout our companies.
And there is sort of, within my company there is an equal level of
protection for information.
I think in terms of how to handle these issues, I would suggest
focus first on that information that is the most sensitive. For exam-
ple, medical information. You know, we have strongly supported
Federal-level legislation on medical, very sensitive information for
a long time, and we are very happy that there has been some activ-
42
ity and movement in that area, to create Federal-level protections.

Those are absolutely sensitive information.
Ms. DEGETTE. Thank you. Thank you, Mr. Chairman.
Mr. STEARNS. I thank the gentlelady. The gentleman from Or-
egon, Mr. Walden?
Mr. WALDEN. Thank you very much, Mr. Chairman. I have a cou-
ple of questions. I want to follow up on something Mr. Bass said
I think is of interest to me. I get those same sort of junk e-mails,
if you will allow me to use that term.
And I guess I am probably not unlike a lot of other consumers
who want to be able to respond and tell somebody no, stop sending
that to me, get me off your list. And yet I am sort of fearful that
if I do, I may actually end up on more lists. You know, because I
have heard that if you open some of those, then you really connect,
and away you go. So I think as you wrestle with that one, I would
be interested in your comments.
I would also be interested in your comments on international
standards, because the Internet is so ubiquitous. We run into this
issue with other Internet-related problemswe can establish a
standard here, but what are you facing in other countries, in terms
of privacy? You talk about State pre-emption. What are you facing
in terms of other countries?
And then I guess another question I would have for you is have
you analyzed these off-line laws on privacyyou talked about the
collection of data thereto see how and if they should be applied
to online data collection and privacy standards? I understand what
Mr. Doyle was saying regarding the rental of movies, and I under-
stand Amazon, you know, abides by that same sort of carve-out in
the statute. But are there other off-lineif we are going to treat
everybody equallystatutes regarding privacy that we need to fol-
low?
So I will throw it open to you for your responses.
Ms. PEARSON. Let me address the international question, Mr.
Walden. I will let my colleagues address the question of unsolicited
commercial e-mail.
We operate in 160 countries, and so we have deep experience
handling information all over the world, both on our own behalf,
as well as on behalf of many companies and organizations. And I
can tell you, similar to what Mr. Swift said in his oral remarks,
that many countries have data protection, data privacy legislation.
Most others do not. And it is a concept that is kind of foreign and
not really developed in many parts of the world, particularly in
Asia-Pacific and in Latin America.
I can tell you that we provide the same level of protection
throughout the world, and that the requirements that are imposed
on us in Europe, of course we comply with. But I cannot, as Mr.
Swift said, say to you that we are providing any greater level of
protection to the average European citizen by virtue of that. Sure,
we have to go through some more administrative steps. We have
to have a few more managers doing different things. But I have to
tell you that we are probably more conscious of the issue and more
innovative in the United States than we are almost at any other
place.
43
This is where we have developed our policies. This is where we

have a chief privacy officer. This is where we have engaged in in-
dustry leadership activities, to try to move forward on the issue.
So, that is my comment on the international side.
Mr. WALDEN. Anyone else on any of those three points?
Ms. HOURIGAN. I would add to the complexity of dealing with the
international standards. And it is not just the privacy laws; it is
what the consumer expectation is. And that varies dramatically by
country.
We continue to actually look at the options available to us, to de-
termine what the most appropriate approach is, given that we are
in over 200 countries. But very, very complex and very complicated.
Mr. SMITH. I think the international requirementsand just
looking at the European Commission principlesI think align very
well with principles of the OECD of 10 or 15 years ago, of the FTC
fair information practices. When I began working in privacy about
2 years ago, it seemed to me that those principles were how I want-
ed to be treated, or how I would want my children to be treated.
So I think it is fairly easy, on a principle standpoint, to get to
appropriate principles. The question really is in the administration.
And if I were to testthe question is whether the process benefits
the consumer or not. You know, I think there is a fair amount of
the process that benefits lawyers and paper manufacturers, and
does darn little for the consumer.
Mr. WALDEN. Mr. Misener?
Mr. MISENER. I might take up the question of unsolicited e-mail.
First of all, Amazon.com never, ever sends unsolicited e-mail to
those who are not customers. And as far as e-mails marketing cer-
tain products, at Amazon.com we provide a menu of some 150-plus
different categories that you can go in and select, choose opt-in to
receiving e-mails on specific items of interest.
Mr. WALDEN. Right. Different deal.
Mr. MISENER. So, for example, I have mine set up to send me in-
formation on history books and jazz music, two interests of mine.
This is the kind of thing that is being addressed, by this committee
and also the Judiciary Committee in the House, and also in the
Senate as well, in the context of spam. And we are trying to get
atas I understand, the industry and Congress are trying to get
at these nasty e-mails that we receive from random places about
all sorts of get-rich-quick schemes and such. And so hopefully those
can be addressed. But I think those are outside the context of these
privacy sorts of discussions.
Mr. WALDEN. Yes, to an extent. Although it seems like if you re-
spond to some of those, they are able to apparently take your data
and go and send it elsewhere, it seems like. I dont know.
Do you have a comment on the off-line laws, privacy laws that
are out there, versus online?
Mr. MISENER. Yes, and it is a huge topic. There are several trade
associations, the ITI in particular, who has done an extensive list-
ing of the extant off-line privacy protection laws. And so we would
be happy to provide that to you. It is actually quite long in dif-
ferent areas. And they tend to be targeted, as Ms. Pearson was say-
ing earlier, to things like medical privacy and childrens privacy
things that are the most sensitive kinds of issues.
44
Mr. WALDEN. Okay, that would be helpful. Thank you.

Mr. JOHNSON. Just with respect to the off-line versus online
issue, I dont believe that our customers view themselves as off-line
customers or online customers. They are Lands End customers,
and they have expectations of us. And it is so critical for us to
maintain that relationship with that customer, and do everything
in our power to further the customers interest and make sure that
we are not in any way, shape, or form risking that wonderful rela-
tionship we have with our customers. So I dont see the consumer
as necessarily differentiating between an online versus off-line.
Just one other point with respect to off-line. As we consider off-
line, I think we do need to be very careful about the implications
that off-line legislation potentially has for very small companies,
very small retailers that are not involved in the online arena. You
know, it potentially has an impact on the many very small compa-
nies that do business in this country.
Mr. WALDEN. Thank you, Mr. Chairman.
Mr. STEARNS. I thank the gentleman. Mr. Terry is going to pass?
Mr. TERRY. Yes, I could be redundant and repetitive, but I will
relieve you of that.
Mr. STEARNS. Okay. Before I let you go, if any other member has
a quick questionI had a quick one. Mr. Swift, you mentioned in
your opening testimony about the recent European legislation deal-
ing with information privacy on the Internet, and how you said it
was unimaginable burdens for a company like yours, with no sub-
stantive benefits. But I understand you have joined the safe harbor
decision, to have Proctor & Gamble go into safe harbors. Is that a
compromise? Or are youtell me your reasoning on that.
Mr. SWIFT. Well, the issue is really not safe harbor. The issue
really is not the European Data Directive. The issue is that the
Data Directive required 15 European countries to create their own
privacy legislation that comported with the Directive. Twelve of the
15 have. The three others are in the process.
So as a company that operates, and has data, and has employees
and consumers in all 15 of those countries, I need to obey those
laws. And the issue of the Data Directive really was to facilitate
transfer of data within European countries. So we observe the Eu-
ropean laws and have no problem transferring data there.
The issue is that I need to be able to move employee data any-
where in the world. I may choose to move employee data from the
U.S. to Europe for processing, or from
Mr. STEARNS. By joining the safe harbors, you are complying
with the European Union Internet privacy.
Mr. SWIFT. I am. But it is one choice. In non-U.S. countries, I
have contracts. In other words, if it is going from Europe to Japan,
I have to have a contract. And what I have chosen for the United
States, for administrative efficiency, really what I have done is I
have created 400 contracts between my P&G entities. Which means
that I dont have a contract when I transfer a specific type of data.
I have freedom to transmit any type of data within our corporate
entities.
Mr. STEARNS. So you did it for self-survival?
Mr. SMITH. Well, it is obey the law, and what seems to be the
most efficient or effective way to obey the law.
45
And honestly, what I have found as I have gotten into privacy,

half of my time needs to be spent in making sure that our informa-
tion practices enable our business practices, not impede them. You
know, our lawyers, the easy answer from a lawyer in Europe is,
Well, dont move the data out of Europe. But that is not the right
thing for the business.
So I have to continually look at how can we do what is right for
the consumer, what is right for the business, and at the same time
obey the law? And in this case, I had no choice by to do 400 inter-
nal contracts, and uncountable external contracts.
Mr. STEARNS. Now, Ms. Pearson, IBM, I understand, has not
signed up. Why havent you signed up?
Ms. PEARSON. Not yet. As you can tell, this stuff is mind-
numbingly complex. It can get really complex. We similarly have
operations everywhere in Europe, and we move data globally. So
we have come up with a fairly complexand I will spare you the
detailsway of complying with the European law.
The safe harbor framework is a framework of principles that very
importantly, between the U.S. and the EU, there is a handshake
that says, the EU says, okay, if U.S. companies comply with that
framework and use U.S. mechanisms, including self-regulatory
mechanisms, you are okay for Europe. That is a very important
statement. And we believe in the safe harbor; I support it in prin-
ciple.
It may or may not be the right fit for our operations, because we
are this big enterprise that is really complex. I think it is an ideal
mechanism
Mr. STEARNS. Proctor & Gamble is pretty big and complex.
Ms. PEARSON. And actually we are still looking at the safe harbor
for our web operations, because that is an area where it makes a
lot of sense, since we do use a self-regulatory trust-mark, the
Trustee program, for our web. So we actually may still enroll in it
for that purpose. And I think it makes a lot of sense for companies
who are doing business over the web, in particular small- or me-
dium-sized.
Mr. STEARNS. And of course GM, I understand, has not signed up
either. And you are a big company, too, and complex.
Ms. HOURIGAN. That we are.
Mr. STEARNS. So why havent you signed up?
Ms. HOURIGAN. We actually aresafe harbor is one of the alter-
natives we are looking at. As of today, we comply with the Euro-
pean laws; therefore I dont have an issue with transferring infor-
mation within the EU countries.
Mr. STEARNS. But if the data base is outside of Europe, you
would have to comply.
Ms. HOURIGAN. That is correct. And we actually, as we speak,
are investigating all of our options available. And we will make a
decision in the near term.
Mr. STEARNS. Just tell me why you havent joined. What is there,
the part about the European legislation that you dont like? What
specifically is preventing you from joining? Last year, I think the
Clinton administration had negotiated 30 large companies. And you
folks werent one of them. What is there specifically why you didnt
buy?
46
Ms. HOURIGAN. I dont think there is any specific part that we

dislike. I think it is the challenge ofwe are looking atagain, we
operate in over 200 countries. So the EU is one issue, but because
we are global we are trying to come up with a global solution. And
to the extent thatwe may decide to take advantage of safe har-
bor.
Mr. STEARNS. Is there anything that Congress could do to make
this simpler for companies like yourself?
Ms. HOURIGAN. I dont think so.
Ms. PEARSON. The issue is, we have a European law, and we are
complying with a European law, in various ways. And the safe har-
bor framework is one way to do it.
Mr. STEARNS. But you have not signed up, and I just want to
know why IBM and General Motors have not signed up. What spe-
cifically is the reason?
Ms. PEARSON. There are other ways of complying with the Euro-
pean law. So the safe harbor is 1 of 3 or 4 or 5 ways of achieving
compliance with that law.
Mr. STEARNS. I am not saying you should necessarily. I am just
curious.
Ms. PEARSON. And so, at this point, I think what help the gov-
ernment, from the U.S. side, could do is to keep actively engaged
with Europe in oversight capacity and dialog capacity, to make
sure that U.S. companies are treated similarly with European com-
panies with respect to how this law is implemented. Because it is
a very important issue going forward.
Mr. STEARNS. Anyone else like to mention anything else? And
then if any other member would like to add another question, I
would be glad to welcome that. Mr. Doyle?
Ms. HOURIGAN. I will add oneIm sorryone very brief com-
ment. And that is when safe harbor was negotiated, as you all
know, there was a carve-out for financial services. We have a tre-
mendous presence, with our GMAC operations, in Europe. And that
is one thing that we are looking at, because that is not included
in safe harbor.
Mr. STEARNS. Okay. Mr. Misener?
Mr. MISENER. Mr. Chairman, thank you for this question. And
actually it gives us an opportunity to hopefully clear up some of the
misconceptions that have been produced in the press recently.
Safe harbor does not imply one way or another necessarily com-
pliance with the underlying national privacy laws in European
countries. We are fully compliant with all the national privacy laws
there that govern the transfer of information in and out of the Eu-
ropean economic area. However, we have not sought safe harbor
protection; we have not yet been convinced of the value of the safe
harbor in itself. Yet we are fully compliant with the national laws.
And so it is not the same to say that we are not complying or
interested in complying.
Mr. STEARNS. Well, you were just saying that if you had signed
a legal document, then the enforcement mechanism in the Euro-
pean Union would apply to you. And right now
Mr. MISENER. That is correct.
Mr. STEARNS. [continuing] that is what it sounds like you are
worried about.
47
Mr. MISENER. Well, I am not sure we are worried, actually, Mr.

Chairman.
Mr. STEARNS. Not worriedits a word. But I mean, it is another
ambiguous set of circumstances that you dont know the implica-
tion of, and yet you are complying.
Mr. MISENER. I think that is fair to say. We are just not yet con-
vinced of the value of seeking safe harbor treatment per se. Al-
though, again, I clarify that we are fully compliant with the na-
tional laws in Europe, and therefore dont necessarily need to at-
tain that safe harbor protection.
Mr. STEARNS. Okay. Mr. Doyle?
Mr. DOYLE. Yes, thank you. Just one quick follow-up. Just before
you leaveand if you could take off your company hats and just
be citizens and consumers, we wont hold you responsible for any-
thing you say.
Mr. STEARNS. Just forget the camera.
Mr. SMITH. Oh, sure.
Mr. DOYLE. We will never tell anyone else what you said.
Mr. SMITH. You will protect our privacy, right?
Mr. DOYLE. You have got complete privacy here.
But just to help us with this, you know, these computers, they
are getting faster every day. They store more information. It is
scary to think 5 years from now how quick they will be, and how
rapidly we will be able to collect and disseminate information.
What scares you, or concerns you, as a private citizen, about the
ability that many people are going to have to collect and dissemi-
nate information on just about everything? I mean, what scares
you when you just think as a private citizen about this technology,
and what is the potential for abuse?
I mean, I get these things on mymaybe because we are in poli-
tics. But I think we get them all the time. You can spy on your
neighbors and friends, you know, just sign up here and you can
learn anything you want to learn about your political opponents.
And I have always been tempted to click on that.
But I havent. But thinkI mean, 5, 10 years from now, given
what is happening in this technology, what really scares you about
this ability to collect all this information on one another?
Mr. SMITH. I think to me the question is, where does harm occur?
If someone takes a communication out of a mailbox that has a per-
sons Social Security number, and from that steals a persons iden-
tity, that is concerning. And you know, that has been possible as
long as there have been mailboxes and Social Security numbers.
And if we find that there are elements that, you know, at some
level of frequency create harm, then we have got to break the code.
We have got to stop the pipe on that.
Typically, that is not where companies in commerce are. I mean,
our consumers vote for us every day, and we are trying the best
we can to get them information. And those are the things where
we dont want to break the code or break the bank.
Mr. DOYLE. But just as a citizen.
Mr. SMITH. I dont want my identity stolen. I dont want my cred-
it cards stolen. I appreciate it when people inform me of practices
that can help me for those things not to happen.
48
I think, you know, some of the software that is being developed

that will give us more choices about the data that we give up on
the Internet all make good sense. You know, if you dont want peo-
ple to have the answers to what is on the warranty card informa-
tion, dont do it. You know, most of the stuff that you get on the
web, it has an unsubscribe at the bottom. Lets help people hit the
unsubscribes. And my bet is that most of the things that we are
most concerned about would be something that may be facilitated
to a degree by technology. But it is, you know, how do you stop a
criminal from doing a criminal act?
Ms. HOURIGAN. I would just add to the concept of identity theft,
I have had two people very close to me undergoit has just been
an absolute nightmare for them. And it has got such a tremendous
ripple effect, sweeping consequences. And it really requires a tre-
mendous amount on a consumer to try and rectify a wrong that
was completely outside his or her control.
Mr. DOYLE. We are getting called to vote.
Mr. STEARNS. Yes. Anyone else?
Mr. MISENER. Well, Mr. Doyle, very quickly, before I was brain-
washed in law school I was an electrical engineer and a computer
scientist. And I do have an appreciation for those huge data bases
that are out there, that you mentioned. Those exist quite distinct
from the Internet. The Internet is a communications medium, as
we all understand. But those data bases are also connected to a
typist who actually took that little warranty card asking about the
prostate problems in my family, and typed it into those data bases.
I think what the concern is, as a citizen, is the type of informa-
tion that we are talking about here. I dont care if someone knows
that I bought that pan at Amazon.com. I really dont care. I do
care, however, about medical records, financial information, infor-
mation about young children, those sorts of things. And those
things deserve a higher level of scrutiny and protection.
Mr. JOHNSON. I agree absolutely with what everyone here has
said. As a consumer, as a citizen, the technology itself doesnt scare
me a bit. A concern, though, as a consumer is with respect to, as
Mr. Misener stated, financial information, health care information,
which is dealt with separately and is protected. So the technology
itself and the communication mediums and whatnot really dont
frighten me.
Mr. DOYLE. Thank you all.
Mr. STEARNS. Ms. DeGette? Mr. Towns?
Mr. TOWNS. Hearing all of thisand believe me, there are a lot
of problemsyou still feel that we should not do anything? The
Congress?
Mr. MISENER. Do I feel that you should not do anything? I dont
think legislation is inherently necessary, as I mentioned before, be-
cause I think companies are being forced to address these issues
head-on, or they are not going to survive. These are the kinds of
issues that we must do, simply to please our customers and to sur-
vive in the marketplace.
So no, Mr. Towns, I dont believe that legislation is inherently
necessary. But if there is a belief that there is a need to address
specific areas of informationfor example, financial or medical or
childrens informationI think that strong arguments could be
49
made to go after those specific types of information, as opposed to

the medium through which they are collected.
Mr. SMITH. And one of the things that I would urge is that we
start from where the harm is. You know, with Graham-Leach-Bli-
ley, all of us have had our mailboxes full of disclaimers that are
too long to read and incapable of being misunderstood. And the
reason was that we didnt look at where the harm was, but we
looked at a type of data. And I think we need to find where the
difficulty is and then address that difficulty, rather than to take a
blanket approach on a specific type of data. As important as it is.
Ms. PEARSON. I hope you will pass new privacy legislation, at the
right time, on the right subject. I am not smart enough today to
tell you exactly what it is, but I hope we can work together to find
it.
Ms. HOURIGAN. And I would also urge, if that were to take place,
industry appreciates being involved. And there are a lot of practical
complexities associated with this issue. And so we would appreciate
having our input heard.
Mr. TOWNS. Mr. Johnson?
Mr. JOHNSON. I concur with Mr. Misener. I believe the vast ma-
jority of companies doing business today are doing everything in
their power to protect their relationships with the consumer. And
I would just caution that we not do something that inhibits our
ability to ultimately serve our customers and provide benefits and
valued services and products to them. As Ms. DeGette said earlier,
how do we target the bad guys, the very few that raise these kinds
of issues? I dont know that I have answers for that, but I am not
convinced necessarily that legislation is going to be successful at
doing it.
Mr. TOWNS. Thank you very much, Mr. Chairman.
Mr. STEARNS. I thank my ranking member. We have finished
with panel No. 1. We have been called to vote. So it is probably ap-
propriate to reconvene after theseI think we have two votes. So
we will do that, which would bewe have 10 minutes left on this,
and then 5, 15. So hopefully we will reconvene in about 15, 20 min-
utes. And so I thank panel No. 1, and if panel No. 2 will hold, we
will be right with you.
[Recess.]
Mr. STEARNS. The committee will reconvene, and we will have
panel No. 2. And we thank you for waiting.
We have Jennifer Barrett, Chief Privacy Officer of Acxiom. And
we have Mr. John Ford, Chief Policy Officer, Equifax, Incorporated.
And Ms. Deborah Zuccarini, Executive Vice President and Chief
Marketing Officer of Experian. Welcome to you.
And Ms. Barrett, if you dont mind, we will have your opening
statement.
STATEMENTS OF JENNIFER T. BARRETT, CHIEF PRIVACY OF-
FICER, ACXIOM; JOHN A. FORD, CHIEF PRIVACY OFFICER,
EQUIFAX, INC.; AND DEBORAH ZUCCARINI, EXECUTIVE VICE
PRESIDENT AND CHIEF MARKETING OFFICER, EXPERIAN
MARKETING SOLUTIONS
Ms. BARRETT. Thank you, Chairman Stearns, Ranking Member
Towns. For more than 30 years, Acxiom has been a leaders in re-
50
sponsibly providing innovative data management services to a

whos who of Americas leading companies. And we do it in a way
that goes beyond what is required by law or self-regulation, in
order to respect consumer privacy.
Acxiom believes that any use of information to defraud or dis-
criminate must be illegal. At the same time, we strongly believe in
a balanced approach to the collection and use of information. The
free flow of information we enjoy today has greatly contributed to
our Nations economic growth and stability. Consumers have great-
er choice and variety. Goods and services cost less. And trans-
actions are completed faster and more easily.
It takes much more than just instinct to recognize what con-
sumers want. One hundred years ago, the local shopkeeper knew
just what his customers bought, but knew them also personally,
knew how they spent their time, and he knew their family.
Todays consumers are as likely to shop through a catalogue or
over the Internet as they are in a store. The business-to-consumer
relationship requires new information tools. Acxiom helps busi-
nesses recognize and engage consumers who likely have the great-
est need for what they are selling. Our operations include two dis-
tinct components: data base management services, and information
products.
Specialized computer services represent 90 percent of our rev-
enue, and help companies manage their customer information. This
includes keeping up-to-date customer records in order to ensure
opt-in or opt-out requests are properly honored, and saving compa-
nies millions of dollars when unwanted duplicate promotions are
eliminated.
The other 10 percent of our business comes from a separate line
of information products. These allow businesses to improve their
relationship with consumers, irrespective of whether they live in a
city or in a rural area, whether they are a parent or an elderly
shopper. For example, a major kitchen and bath store used our
product to reach households with elderly patrons likely interested
in learning more about their new senior product line, including
shower grips, bath stools, and large-print clocks.
The real winner in the use of information to engage in the con-
sumer is the consumer. To fit all the pieces of the marketplace to-
gether that we have learned and heard about today, I have pro-
vided a chart on page six of my testimony, and as well on the easel
you see over here to your right. Point A on the chart represents the
consumer, who expects to complete transactions quickly, obtain the
best prices, and choose from the widest variety of products and
services. At point B, we find the business, who responds to these
expectations by understanding their customers and their market.
To do this, they need information beyond that collected during a
sale. For example, the characteristics of a household, such as are
there elderly consumers in the home?
This information is available from two points, or from two
sources: point C, which is directly from another merchant; or point
D, from information compilers such as Acxiom.
For example, our customer enhancement products give busi-
nesses the demographic, lifestyle and interest information they
need to understand their customers and the market. And our com-
51
piled list products provide access to likely new consumers who

would like to be customers.
We compile or acquire the relevant information from a variety of
sources, points E and F on the chart, and aggregate this data by
household. We compile public records and we acquire self-reported
and other general information directly from companies that sell
products and services to consumers, and who offer a third-party
opt-out.
We only receive general summary information, indicating prob-
able interest or lifestyle data. We do not have detailed data about
individual transactions. Acxiom only sells data to qualified busi-
nesses, under contract for specific use. We do not sell data on one
individual or a household, and we do not sell data to the general
public. Our information products help businesses and consumers
fill in some of the missing pieces in todays relationship gap.
We are also very proud of our ingrained culture of respect for pri-
vacy. Since we do not have a relationship with the consumer, we
ask our customers to refer any consumer to us who inquires about
our data. We have posted a privacy policy on our web site since
1997, and we maintain a consumer care department to handle in-
quiries. We also provide an opt-out to all marketing products
through our web site and via a toll-free hot line.
We have consistently not only met but exceeded all requirements
placed on us by law and industry self-regulation, by establishing
our own even more restrictive policies.
In closing, there are a few things that I would like to add that
we do not do. Acxiom does not have one big data base containing
data on every individual. Instead, we have many different informa-
tion products designed to meet the various business needs of our
customers. The information we provide cannot be used for decisions
of credit, insurance, or employment. And we do not sell Social Secu-
rity numbers, credit or other detailed personal financial informa-
tion that could be used to steal someones identity.
In short, we are committed as business leaders and consumers
ourselves to protecting consumer privacy.
Mr. Chairman, on behalf of our more than 5,000 associates, I
wish to thank you for the thoughtful approach which your sub-
committee continues to use in studying this very important issue.
And we appreciate the opportunity to be here.
[The prepared statement of Jenniffer T. Barrett follows:]
PREPARED STATEMENT OF JENNIFER BARRETT, CHIEF PRIVACY OFFICER, ACXIOM
CORPORATION
INTRODUCTION
Chairman Stearns, Ranking Member Towns, and members of the Subcommittee,

thank you for the opportunity to participate in this timely hearing and to share
Acxiom Corporations perspective on how the current flow of information powerfully
underpins the vibrancy of the new American economy.
As your Subcommittee continues to explore the issue of privacy in the responsible
manner that this series of hearings evidences, we strongly support the concept that
a balanced approach to the use of information must be achieved. We believe that
inappropriate use of information to defraud or discriminate against consumers
should be illegal, as it is already in most situations. Furthermore, the relatively free
flow of information we find today in the U.S. has significantly contributed to our
nations economic growth and stability by enhancing variety in consumer goods and
services, by facilitating lower domestic prices as compared to foreign markets, and
52
by accelerating the speed and ease with which transactions can be completed. We
believe that it is imperative that consumers be protected from fraud and discrimina-
tion while the benefits to both consumers and businesses are preserved.
When privacy laws and implementing regulations overreach, the results can be
devastating: legitimate businesses suffer irreversible damage, and consumers unin-
tentionally lose many advantages. It is our hope that by sharing our story with
youas well as by separating information myths from realitywe will aid you in
evaluating an appropriate legislative direction.
ABOUT ACXIOM CORPORATION
Founded in 1969, Acxiom Corporation has more than thirty years experience in
customer data management services, technology leadership, and awareness of and
sensitivity to consumer and business privacy concerns. We are based in Little Rock,
Arkansas, with operations throughout the United States, Europe, and Asia. Our an-
nual revenues approach $1 billion. Our company has over 5,000 employees world-
wide: with over 2,800 of them working in Arkansas, almost 1,000 in Illinois, more
than 200 in California, and 170 in Arizona.
Acxioms business includes two distinct components: database managment serv-
ices and information products.
Database Management Services
Acxioms database management services, which represent ninety percent of the
companys revenue, include a wide array of leading technologies and specialized
computer services. These services help large companies improve and boost customer
loyalty, retention, and market share by making accurate customer recognition pos-
sible across multiple lines of business and across multiple points of sale, including
the Internet, call centers, and retail outlets.
Customer recognition is critical to delivering an exceptional initial customer expe-
rience, retaining that customer, honoring consumer preferences about how personal
information is used, and improving business profitability. Although e-commerce has
increased consumer product availability, it also has made customer recognition more
difficult.
Acxioms database management services assist companies in better managing
their customer information to address this need. For example, it is not uncommon
for a companys databases to contain several different names and address variations
for the same person. We provide services that will accurately recognize a particular
individual. Our services can save a company millions of dollars when, for example,
unwanted duplicate catalogs or other mailings are eliminated. Moreover, we assist
companies maintain up-to-date records to ensure that their customers opt-in or opt-
out requests are properly honored.
Informational Products
Acxiom also offers a complementary line of information products that represent
the remaining ten percent of our gross revenues. Our InfoBase information products
allow businesses to make smarter and faster strategic decisions, streamline cus-
tomer communication at every point of contact (Website, telephone, store, wireless,
and more), personalize and target various communications, and strengthen relation-
ships with their customers. The majority of our testimony today further explains
these products.
THE ECONOMIC NEED FOR ACXIOMS INFORMATION PRODUCTS
Acxioms information products help fill an important gap in todays business to

consumer relationship. Think back to 1901. The local shop owner knew his cus-
tomers and his market well. The shop owner was familiar with what they bought,
what they liked to do, how they spent their time and something about their family.
Today, large and small businesses are trying to achieve the same level of knowledge
about their customers interests and needs as the small shop owner enjoyed a hun-
dred years ago. This need for knowledge is not new. In the current environment,
however, with customers shopping remotely via the Internet, on the phone and
through catalogs, securing information about customers that allows companies to
better serve them is more difficult to accomplish.
In our information-based economy, companies grow by exceeding consumer expec-
tations with unparalleled products and services of the highest quality. Despite tech-
nological advances, businesses do not instinctively know what their customers want
and need. Acxioms information products provide the additional knowledge nec-
essary for businesses across diverse industry sectors to stay in touch with and to
satisfy their customers in order to achieve profitability and market growth.
53
Our role is to help businesses systematically recognize and engage consumers
who, with the aid of our information products, are believed to be those with a likely
interest or need for their products, or services. While changing technology, such as
the Internet, has largely reshaped the mechanics of how commerce is conducted, the
basic strategy of marketing remains constantthe operational need to focus a com-
panys marketing efforts on those most likely to have an interest or need in their
products or services.
With Acxioms information products, companies have been able to accomplish
goals such as:
A kitchen and bath store used age to recognize their elderly customers in order
to offer them a new senior-lifestyle product line of kitchen and bath enhance-
mentsshower grips, bath stools, large print stove dials, large print clocks, and
better grip door-knob covers.
A bookstore used age to recognize the right audience to promote a new line of
large-type books, including large-print Bibles.
A major publisher used the knowledge of which subscribers had younger children
in the household to promote a new publication for kids, which was co-branded
with Crayola.
A computer software company used the knowledge that certain households owned
a computer to promote in-home access to educational software.
A computer manufacturer employed information on households that did not have
computers to offer a special purchase price in order to encourage the use of edu-
cational and in-home financial management software.
A retailer used the knowledge about which customers in their area had swimming
pools to offer special products and prices for pool toys and supplies, as well as
an inventory management resource to determine how much merchandise of this
type to stock in each local store.
A local bass fishing supply store launched a catalog to reach customers outside
their store trading area by knowing which households had a passion for their
specialtyfishing.
A small tool company expanded their customer base by mailing catalogs to profes-
sionals interested in power tools at a discounted price.
A local day care program promoted a special offer to single moms in their local
community.
A literacy program in English was focused on reaching non-English speaking fam-
ilies in rural areas.
Without the use of our information products, each of the businesses in the pre-
ceding examples would have been less effective in communicating with their existing
and potential customers. Consequently, the real winner in the use of information
to engage consumers is the consumer.
The following chart has been provided to assist the Subcommittee in under-
standing the information marketplace from a more macro perspective, as well as the
key role that Acxiom plays in this interchange.
54
Consumers expect to complete transactions quickly, obtain the best price possible,
and be able to choose from a wide variety of products and servicesas reflected in
point A on the chart. Businessespoint B on the chartrespond to the expectations
by working hard to understand their customers and their market. To do this effec-
tively, they need information beyond that collected during the sale. If the informa-
tion cannot be collected directly from the consumer, then it is available from two
sourceseither directly from other merchantspoint Cor from information com-
pilers, including Acxiompoint D. Information compilers use public information,
primarily obtained from the government, or in some cases collected from other busi-
nessespoint Ethat obtain the information through their relationship with the
consumerpoint F.
Information Product Development
Acxiom begins its information product development with the identification of a
marketplace need. For example, in order to achieve growth and product objectives,
businesses may need to know something about the characteristics of a household.
Is it a single adult household, or is it a married couple? Do they have children, and
if so, are they small children, teenagers, or college aged? Other relevant characteris-
tics might include whether the household has an interest in certain hobbies, such
as cooking or gardening, or participates in certain activitiesdo they play tennis,
golf, or both? Such characteristics are extremely relevant in determining whether
a consumer in that household may want to learn more about a product or service.
Once a particular information need by business has been identified, Acxiom com-
piles or acquires the relevant information from a variety of sources and aggregates
it by household. This is a complex process which varies on a case-by-case basis.
However, it is important to emphasize that in all such efforts, any data collected
is general in nature and not specific to transactions or events. It does not include
details on specific actions that an individual has taken, confidential medical infor-
mation, or specific information regarding children. Once the data is collected,
Acxiom must clean, integrate, and package the information into a product that
meets the marketing needs and information demands of businesses. We invest sig-
nificant time and resources in developing these products. Finally, a successful infor-
mation product provides Acxioms customers with enough of the right information
to solve their specific business problem or need.
Acxiom does not sell data on one individual or one household at a time. We do
not sell information to the general public. Information is sold by the thousands of
elements or records to qualified businesses. We perform a credit check on all pro-
55
spective customers. Once we are satisfied about our customers qualifications, we re-
quire them to sign a contract that binds their use of the information acquired from
us for specifically articulated purposes. Acxiom and our customers typically enter
into long-term contractsone, three, or five yearsfor use of a particular informa-
tion product.
Categories of Acxioms Information Products
Our information product offerings provide needed intelligence for three primary
functions: (1) our directory products provide telephone information necessary to lo-
cate, verify or contact consumers by phone; (2) our enhancement products provide
the information businesses need to better understand their customers and their
market; and (3) our list products provide access to consumers who are potential fu-
ture customers. As mentioned earlier, these products comprise about ten percent of
Acxioms gross revenues.
Directory Products: Containing name, address, and telephone number, Acxioms
line of directory products are compiled primarily from the white and yellow pages
of published U.S. and Canadian telephone directories5,900 different directories in
the U.S. alone.
For example, we license some of our directory products to companies as an inex-
pensive form of directory assistance and to Websites that provide free nationwide
directory assistance. These Web-based directories benefit consumers in many ways,
such as providing help in finding friends or family members with whom individuals
may have lost touch.
In all our directory products, Acxiom respects a consumers choice regarding un-
published numbers. The names and numbers we include in these widely-used direc-
tories are derived only from those consumers who have elected to have their number
made publicly available by their local telephone carrier. Moreover, for consumers
who contact us in writing, through our Website, or by calling our toll-free Consumer
Hotline, Acxiom offers the option to opt-out of this service if, for instance, the con-
sumer wants to keep a published number in the local printed telephone book, but
not have it available on a Web-based directory.
Enhancement Products: Acxiom also offers businesses lifestyle, demographic, and
interest data on their customers to enhance the companys knowledge about their
customers and provide a better understanding of their customers desires, needs,
and changing characteristics. Demographic data includes such information as the
makeup of the householdsingle, married, with or without children. Lifestyle data
might include information such as home ownership, retirement status, or average
income strata of the neighborhood. Interest information would identify a passion for
cooking or golfing.
This demographic, lifestyle and interest information is added to a companys al-
ready-existing customer files, known as response lists. The information is general
in nature. We do not provide detailed transactional information. We license en-
hancement information to qualified businesses through a menu-oriented approach.
Businesses license only the data needed for a particular business decision or proc-
ess. In many cases, we have pre-packaged information groups to meet common or
recurring business needs for specific industries.
How might a business use enhancement information? First, it is used to better
understand the interests and needs of current customers. Second, enhancement data
is employed to identify the best market segments for up-selling or cross-selling par-
ticular products. Finally, demographic, lifestyle, or interest data can help identify
characteristics common in a business best customers in order to target similarly-
situated prospective customers who may be more likely to have an interest or need
for the companys products or services.
List Products: Acxiom offers prospect lists as a third type of information product.
These lists are built from a variety of information sources, and represent broad cov-
erage of the population. Prospect lists, which contain much of the same information
contained in our enhancement products (including demographic, lifestyle, and inter-
est information), differ from a particular companys response lists in so far as they
contain information about consumers with whom the company has had no prior re-
lationship.
Prospect lists allow businesses to take the information about their best customers
and apply that knowledge to selecting likely households of potential new customers.
Acxiom sells prospect lists to businesses, not-for-profit organizations, and political
parties and candidates.
Data Sources for Acxioms Information Products
The information we acquire to build our information products is obtained from
three general types of sourcespublic information, self-reported information, and
56
summary customer information from companies who have consumers as customers.
Acxiom compiles or acquires this information from several hundred carefully chosen
sources with whom we have cultivated and maintained long-term contractual rela-
tionships.
Public Information: Public records and publicly-available information are the
foundation of Acxioms information products. The types of data that Acxiom ac-
quires or compiles include: telephone directories and other types of publicly-
available directories, property records, and other state and county public
records. This information provides the basic names, addresses, and general de-
mographic information, such as home ownership, profession, and the age of
members of a household.
Self-Reported Information: Surveys and questionnaires are an additional
source for demographic information and provide much of the lifestyle and inter-
est information we acquire. Consumers are asked to voluntarily complete sur-
veys, such as those contained on warranty cards, from a variety of companies
asking for specific information. In these cases, the consumer is customarily pro-
vided the opportunity to opt-out of further use of the information beyond that
of the company conducting the survey.
Information from Merchants: Acxiom acquires some information directly from
companies who sell products and services to consumers. In these instances, we
ensure that consumers have received an opportunity to opt-out of their informa-
tion being shared with a third party, such as Acxiom. Also, we only receive very
general summary information that indicates possible lifestyle or interest data.
We never receive detailed transaction information. Rather, general information
that we acquire is used to extrapolate lifestyle or interest characteristics. For
example, knowing that certain households subscribe to a magazine on golf
would indicate that those households have an interest in golf, just as the fact
that those households ordered that subscription from a Website would indicate
that they are Web-enabled.
In some cases, Acxiom compiles information directly from the source, such as the
telephone directory and the property records. In other cases, Acxiom acquires this
information from other reputable information providers, who perform the original
compilation, or we acquire the information directly from the business holding the
relationship with the consumer. Acxiom carefully screens all information providers
and businesses from which we receive information to assure that the information
has been legally obtained and is appropriate for the intended use.
The information Acxiom collects on an individual or a household is always incom-
plete. Acxiom does not have information on every individual, and we do not have
the same kind of information on all individuals. For example, we may or may not
have the telephone number of a household. We may or may not have property infor-
mation. We may or may not have lifestyle or interest information. Our goal as an
information provider is to provide sufficient coverage of various data elements to
meet the market needs for that particular piece of information.
The following chart summarizes the process Acxiom uses to take information from
a variety of sources and to develop specific information products designed to meet
the business needs of various markets.
57
RESPECTING CONSUMER PRIVACY
Acxiom has a long-standing tradition and engrained culture of respecting con-

sumer privacy in the development and marketing of our information products. I
have been employed by Acxiom for 27 years, and I have been responsible for privacy
oversight since 1990. Privacy has been my full-time job over the past three years.
Since Acxiom does not have a customer relationship with individual consumers,
we do not routinely have direct contact with the individuals whose data we hold.
Therefore, we ask our customers to refer any individual consumer to Acxiom who
may inquire about the sources of data they have obtained from us. Since 1997, we
have posted our privacy policy on our Website, before it was an established and
common practice. Acxiom maintains a Consumer Care Department to handle con-
sumer inquiries. We also provide consumers who contact us in writing, through our
Website, or by calling our toll-free Consumer Hotline the option to opt-out of all of
our marketing products.
Our privacy policy is designed to adhere to all Federal, State, and local laws and
regulations on the use of personal information. In addition, Acxiom follows the in-
dustry self-regulatory guidelines of a number of trade associations in which we are
active members, including the Direct Marketing Association, the Online Privacy Al-
liance, and the Individual Reference Services Group. These guidelines include post-
ing a notice that describes what data we collect, how we use it, to whom we sell
it, as well as what choices consumers have about the use of that data. We recently
certified under the European Union Safe Harbor and have applied for and are in
the final stages of being certified for the BBBOnline Seal.
Acxiom is also an active member of the Privacy Leadership Initiative and the Coa-
lition for Sensible Public Record Access. We believe that consumers should be edu-
cated about how businesses use information. To that end, we publish a booklet, enti-
tled What Every Consumer Should Know About the Use of Their Individual Infor-
mation, which is available both on our Website and upon written or telephone re-
quest.
Acxiom takes its responsibility toward protecting consumer information seriously.
Beyond the industry accepted guidelines which we follow, we have also established
our own guidelines which are more restrictive than industry standards. For exam-
ple, we do not provide Social Security numbers or other personally identifiable infor-
mation about children in any of our products. Moreover, we only capture the specific
information required to meet our customers information needs, discarding the re-
maining data, when we compile information from public records. These voluntary
information practices are internally and externally audited on a regular basis.
58
MYTHS ABOUT INFORMATION PROVIDERS
With the full picture of Acxioms business operations now outlined to better ex-
plain what we do, I believe it is important to close by reiterating for you what
Acxiom does not do. Over the years, a number of myths have developed about the
information industry that require clarification. Please allow me to set the record
straight:
Acxiom does not have one big database that contains detailed information about
all individuals. Instead, we have many databases developed and tailored to
meet the specific needs of our business customersentities that are carefully
screened and with whom we have legally-enforceable contractual commitments.
Acxiom does not provide information on a particular individual to the public. The
information we sell is provided only to qualified businesses for specific legiti-
mate business purposes. I cannot call up from our databases a detailed dossier
on any of you, let alone me.
The information we provide cannot be used, according to existing law, for deci-
sions of credit, insurance or employment. These activities are regulated by the
Fair Credit Reporting Act and such uses are prohibited under our contracts.
Acxiom does not contribute to the nations identity theft problem. We do not sell
Social Security numbers or credit card numbers to anyone, nor do we sell credit
or other detailed personal financial information that could be used to steal
someones identity.
Acxiom does not develop any information products containing sensitive informa-
tion. We define sensitive information as personal information about children,
medical information, and detailed financial information. The only exception to
this would be a situation where the consumer has opted-in to volunteer such
information for distribution or where the information may be a part of the pub-
lic record.
Acxiom does not sell detailed or specific transaction-related information on indi-
viduals or households, such as what purchases an individual made on the Web
or what Web sites they visited. The information we provide is general in nature
and not specific to an individual purchase or transaction. For marketing pur-
poses, businesses need information about the household, not the specific individ-
uals comprising the household.
Mr. Chairman, on behalf of our over 5,000 associates, Acxiom appreciates the op-
portunity to appear today to share with the Subcommittee a detailed overview of
our core business operations. We also wish to thank you, Mr. Chairman, for the de-
liberative and thorough approach with which this committee has studied the appro-
priate and inappropriate uses of information in our economy. Acxiom is available
to provide any additional information the Subcommittee may request.
Mr. Ford, your opening statement?
STATEMENT OF JOHN A. FORD

Mr. FORD. Mr. Chairman, Mr. Towns, counsel. I am John Ford
thats Chief Privacy Officer, sirfor Equifax. I thank you for this
opportunity to summarize the written statement that Equifax sub-
mitted for the record.
I am going to talk a bit fast so that I can stay within the time
limit, so let me get straight to the point. Equifaxs view is that per-
sonal information for marketing purposes provides important bene-
fits to consumers, to businesses, and to our economy, and that the
potential privacy risks or harm arising from these uses are small,
are already subject to effective privacy safeguards, and need not be
subject to further privacy regulation.
Founded in 1899, Equifax is the oldest and the largest of the
credit reporting companies in the United States. Our activities here
are regulated under the Fair Credit Reporting Act and related
State statutes. As a separate company, Equifax Direct Marketing
Solutions maintains one of the largest marketing data bases in the
world.
59
I want to emphasize that our consumer reporting data base is en-

tirely separate and distinct from our direct marketing data bases
physically, managerially, operationally. As a responsible steward of
information, Equifax is committed to the fair and ethical use of
data, the free flow of information, self-regulatory initiatives, and to
forging effective information privacy solutions.
When assessing privacy risks and harms, at least four key topics,
I think, are relevant. First is source: is the source of the informa-
tion reputable and reliable? Second, content: is the data base infor-
mation aggregated, anonymous, or is it personally identifiable, is it
sensitive?
Use: will the information be used to benefit the individual, or
does its use put the individual at risk for adverse action? And fi-
nally, privacy protections: are there adequate privacy protections
already in place?
The answers to all of these questions, I believe, support the con-
clusion that the privacy risk or harm from direct marketing is
minimal, the benefits are substantial, and little basis exists for
more governmental regulation.
Regarding sources, at Equifax much of the personally identifiable
information provided for marketing purposes is consumer self-re-
ported data. Third-party data sources include public record reposi-
tories, other government agencies that provide, for example, hunt-
ing or fishing license information, and other types of reputable
sources using publicly available data, such as telephone white
pages or other directories and exchanges, and census data.
Regarding content, our marketing data bases contain primarily
information that is predictive: that is, information that describes
the characteristics that people who live in a particular geographic
area are likely to have. Even when the information is more granu-
lar, it typically describes buying characteristics of a household, not
necessarily of a specific individual.
We do collect sensitive, personally identifiable information, but
only when the consumer has voluntarily provided it. The personal
information we obtain for marketing purposes is not used for risk
assessment; rather, the information is used to efficiently shape and
deliver the kinds of offers an individual is most likely to want. As
a result of direct marketing, consumers become aware of new prod-
ucts and services, businesses sell more products more cost-effec-
tively, and the economy grows.
Some have suggested that such target marketing provides some
consumers advantages over others who do not receive the direct
mail offer. The fact is, businesses have a limited number of dollars
to support marketing campaigns. It only makes sense that busi-
nesses would seek to achieve the best return possible by focusing
on those most likely to respond. Similarly, Members of Congress do
not mail campaign solicitations to every constituent, but usually
only to those who have given before or who are more likely to re-
spond.
As I said at the outset, Equifax has adopted privacy protections
for marketing data that are appropriate to the use and any poten-
tial harm. For example, we have always contractually prohibited
our customers from using our data base for individual lookup, and
our system has no delivery mechanism for a customer to query the
60
data base based on a name. Data collection or exchange, rather, is

done in batch mode, usually computer to computer or via mag tape,
making review by an individual virtually impossible.
In sum, direct marketing is a societal and economic good. Over-
all, the process is profitable, efficient, and benign. The concept is
consumer-oriented and privacy-sensitive.
In closing, I want to congratulate you, Mr. Chairman and the
subcommittee, for your leadership in this privacy arena. We look
forward to working with you so that the marketplace might achieve
the further synergies that can arise from a better understanding,
and a greater appreciation, of the important benefits of direct mar-
keting.
[The prepared statement of John A. Ford follows:]
PREPARED STATEMENT OF JOHN A. FORD, CHIEF PRIVACY OFFICER, EQUIFAX INC.
I. INTRODUCTION
Mr. Chairman and members of the Subcommittee, I am John Ford, Chief Privacy
Officer for Equifax. I want to congratulate you, Mr. Chairman, and the members
of your subcommittee and its excellent staff for the thoughtful and thorough manner
in which your subcommittee is reviewing the information privacy issue.
In this statement, I briefly describe Equifax; our commitment to protecting con-
sumer privacy; and, from the Equifax perspective, the sources, content, and uses of
marketing data and the associated protections.
I recognize that the primary purpose of this hearing is to better understand the
flow of data in the marketing process. Beyond that, it is my intent to discuss this
process in a way that supports Equifaxs view that personal information, when col-
lected and used for marketing purposes, provides important benefits to consumers,
to businesses, and to our economy. Further, the potential privacy risks and harm
arising from the use of personal information for marketing purposes are small, are
already subject to effective privacy safeguards, and need not be subject to further
privacy regulation at this time.
II. EQUIFAX
A. Background
Founded in 1899, Equifax is the oldest and largest of the companies that provide
consumer information for credit and other risk assessment decisions. These activi-
ties are regulated under the Fair Credit Reporting Act and dozens of related state
statutes. In addition, Equifax Direct Marketing Solutions, formerly part of Polk,
maintains the largest marketing database of lifestyle and compiled data in the
world. At the outset, I want to emphasize that the personally identifiable informa-
tion in our consumer-reporting database is entirely separate and distinct from infor-
mation contained in our marketing databases. In fact, the databases are managed
by totally separate Equifax companies.
B. Equifaxs Longstanding Commitment to Privacy
More than a decade ago, Equifax was one of the first U.S. companies to develop
and adopt a meaningful privacy policy. At the risk of sounding flippant, we were
privacy before privacy was cool. As a responsible steward of information, our com-
mitment to consumer privacy has remained steadfast. We remain committed to
three Core Values, described in greater detail in Section III.D. below, in order to
foster the fair and ethical use of data. We support self-regulatory and marketplace
initiatives to balance the substantial benefits of the free flow of information and the
legitimate concerns about the privacy of personally identifiable data, and we seek
opportunities to work with governments, consumers, and businesses to forge effec-
tive solutions to the complex information-use issues worldwide.
C. Equifax Products
Equifax believes that the marketplace can offer solutions that enlighten, enable
and empower our customers and consumers to address effectively some of the infor-
mation-use issues today. So, increasingly, Equifax is providing products directly to
consumers to assist them in understanding their credit profiles and to empower
them to fight identity theft and manage their fiscal health. For example
61
Equifaxs Score Power gives consumers access to their actual BEACON credit
score, along with an explanation of how that score is used by credit grantors
and recommendations about how consumers may improve their score.
Equifaxs Credit Profile gives consumers online access to the information in
their Equifax credit file.
Equifaxs Credit Watch provides consumers with online notification of changes
to their credit file within twenty-four hours, thereby providing early detection
of potential identity theft.
Equifaxs eIDverifier patent-pending product permits consumers to use informa-
tion from their consumer credit report to establish their identity virtually in-
stantaneously in a reliable and secure manner so that they can obtain products
and services online. This service deters identity theft and fosters trust in e-com-
merce by facilitating an electronic handshake between a known consumer and
the online vendor. Subsequent online transactions are encrypted, further en-
hancing trust and protection.
III. MARKETING AND PRIVACY
When assessing privacy risks and harm, at least four key topics are relevant:
1. Source. Is the source of the information reputable and does it put the record sub-
ject on notice that information is being collected?
2. Content. What is the content of the informationis the information aggregated
or anonymous or is it personally identifiable and is it sensitive?
3. Use. Will the information be used to benefit the individual or does its use put
the individual at risk for adverse, substantive action?
4. Privacy Protections. Are there privacy protections already in place to eliminate
or minimize privacy risks?
When it comes to marketing, the answers to all of these questions, I believe, sup-
port the reasonable conclusion that the privacy risk or harm is minimal; the benefits
to consumers, to business and to the economy are substantial; and little basis for
more governmental regulation exists.
A. Sources
Equifax provides information to its customers for marketing purposes from the
following categories of data sources, in conjunction with an array of analytical serv-
ices.
At Equifax, most of the personally identifiable information provided for marketing
purposes comes from consumer self-reported data. For example, Equifaxs Survey of
America and our online survey, RightOffers (www.rightoffers.com), give millions of
consumers an opportunity to voluntarily provide information about themselves and
the members of their households and to exercise choice in what kind of marketing
offers they receive. Another source of self-reported data included in the Equifax
marketing databases is product registration cards. On a voluntary basis, consumers
may provide information about themselves by responding to lifestyle or buying pref-
erence questions included on paper product registration cards, electronic product
registrations, or Internet registrations.
Other data sources include third-party data sources such as public record reposi-
tories and other government agency data sources (e.g., land records, certain license
information such as hunting and fishing licenses, and census data), and other types
of reputable third-party sources including those using publicly-available data such
as telephone white pages or other directories and exchanges.
In essence, our databases contain personal or aggregated data about individuals
or households that is self-reported, inferred through sophisticated modeling proce-
dures, or obtained from reputable third-party sources, including public record or
publicly-available sources.
B. Content
The vast majority of information held by Equifax for marketing purposes is not
personally identifiable information. Information does not have to be personally iden-
tifiable in order to be useful to marketers. Marketers can successfully market their
products and services on the basis of predictive, aggregated information. Whether
aggregated data is appended to a clients list of names and addresses, offered with
our analytical services, or used to develop a predictive model, the key purpose is
to help companies market products and services to consumers who are likely to be
interested. This information is very valuable to marketers for predicting consumer
spending patterns. Consumers benefit because they receive only those offers in
which they are likely to have an interest. Whats the result: Consumers become
aware of new products and services, businesses sell more products more cost-effec-
tively and the economy grows.
62
While the vast majority of information held by Equifax in its marketing databases
is not personally identifiable, as indicated above, Equifaxs marketing databases do
contain some name and address information. Naturally, marketers must have name
and address information in order to communicate their offers directly to consumers.
It is important to note, however, that the information included within the Equifax
marketing databases is not organized so as to be readily and easily retrievable by
personal identifiers (i.e., name and address).
Our marketing databases contain primarily information that is predictive, psycho-
demographic information, such as Zip+4 informationthat is, information that de-
scribes the characteristics that people who live in a particular geographic area are
likely to have, including lifestyle information.
Even when the information is more granular than geographic Zip+4 type infor-
mation, the information describes some of the buying characteristics of a household,
not necessarily of a specific individual. For example, both the Survey of America and
the online RightOffers survey provide information that is used as a primary source
for our marketing databases. Both surveys ask participating consumers to provide
certain lifestyle information, including information about their leisure activities and
hobbies and those of the other members of their household, as well their preferences
regarding product categories and/or brands. In addition, consumers are asked to pro-
vide certain demographic information such as marital status, month and year of
birth, and occupation for household members. The information collected from sur-
veys is used in the aggregate to better understand consumer preferences, past buy-
ing behavior, and responsiveness to direct marketing.
Finally, in no instance is the marketing information we collect sensitive person-
ally identifiable information, unless the consumer has voluntarily provided it. Even
then, the data pertain to the household, not an individual.
C. Uses
It is very important to emphasize that personal information obtained for mar-
keting purposes is not used for risk assessment purposes. Marketing data is not
used to make decisions about whether an individual obtains or retains a job, insur-
ance, or a government license or benefit. Instead, the information is used merely
for the purpose of efficiently shaping the kinds of offers an individual receives.
Some have suggested that such target marketing provides some consumers with
an advantage over others who do not receive the direct mail offer. It only makes
sense that businesses would seek to cost-effectively align their marketing with their
markets, achieving the best return possible by focusing on those most likely to re-
spond. The simple truth is that businesses have a limited number of dollars to sup-
port marketing campaigns. Similarly, Members of Congress do not mail campaign
solicitations to every constituent but only to those in their party and then only to
those who have given before or who are more likely to respond. In order to accom-
plish this goal, marketers must direct their offers based upon their understanding
of consumers buying preferences and willingness to respond to direct marketing of-
fers. Individual consumers are not excluded from receiving marketing offers.
In addition, marketers constantly refine their marketing campaigns based upon
changes in consumer spending patterns and other predictive information. As a re-
sult, the audience to which a marketer directs its offers may change. Furthermore,
consumers who express an interest in a particular product or service directly to a
marketer are likely to be included in marketing campaigns.
D. Privacy Protections
As I said at the outset, Equifax has adopted privacy protections for marketing
data that are appropriate to the use and any potential harm. For example, we pro-
vide consumers with notice and opportunities to opt-out (sometimes opt-in) of
Equifaxs use of marketing information. We provide consumers who participate in
our Survey of America with the opportunity to specify on the Survey how their in-
formation may be used. Survey of America participants may opt-out of receiving fu-
ture survey questionnaires, product samples and coupons in the mail, or coupons
and special offers from companies via email by simply checking the appropriate
boxes on the Survey form. Consumers who complete product registration cards have
similar opt-out opportunities.
In addition, in some situations, we provide opt-in opportunities. At our
RightOffers website, not only do we provide consumers with the ability to opt-in
to marketing uses by selecting only those categories of offers that they want to re-
ceive, but we have implemented a double opt-in system. Under that system, once
we receive a completed RightOffers survey, we send the consumer an email asking
the consumer to confirm his/her desire to receive offers. Furthermore, RightOffer
63
participants may update their information by revisiting the site and are free to
unsubscribe at any time.
We also employ state-of-the-art technology to help ensure data integrity and secu-
rity. In addition, our customers are prohibited from using our marketing databases
for individual look-up purposes. We have always contractually prohibited our cus-
tomers from using our database for this purpose. Furthermore, we have designed
our system so that we have no delivery mechanism for a customer to query the
database based on a name; therefore, no individual look up is offered or feasible.
Further, Equifax provides consumers with meaningful and practicable privacy
protections through our compliance with a variety of self-regulatory programs pro-
viding consumer rights and redress. We adhere to the self-regulatory principles of
organizations such as the BBBOnline Privacy Seal program, the Online Privacy Alli-
ance, and the Direct Marketing Association.
Finally, in consultation with renowned privacy expert, Dr. Alan Westin, Equifax
conducts privacy audits of our procedures as well as our products and services to
ensure high standards of privacy protection and, in fact, to provide a value-added
quality.
All of these protections are consistent with Equifaxs three Core Values to which
we adhere in order to protect the fair and ethical use of data
Core Value I: Equifax is committed to the ethical use of data and to maintaining
the highest standards of consumer information privacy. We adhere, therefore,
to a meaningful set of self-regulatory privacy principles enterprise wide.
Responding to and anticipating evolving technology and changing societal de-
mands, we have managed sensitive consumer data in an ethical manner for
more than 100 years, earning a reputation as a responsible steward of infor-
mation.
We provide consumers with noticethe ability to know what and for what pur-
pose personally identifiable information about them is collected and used.
We provide consumers with choicethe ability to opt-out of our use of marketing
information about themselves; and where feasible, the ability to opt-in to cer-
tain marketing uses.
When feasible, we provide consumers with access to and a correction procedure
for personally identifiable information about themselves used for non-credit-
marketing purposes.
To ensure data integrity and security, we employ state-of-the-art technology and
tested procedures to collect, store and transmit personally identifiable infor-
mation. Because commerce and our reputation are on the line, we have a
vested interest in the quality of the information in our databases. Thus, we
employ stringent practices and procedures to maintain the highest standards
of data accuracy, reliability and completeness that humans and technology
can achieve.
Equifax provides individuals with meaningful and practicable remedies and re-
dress in the event individuals are harmed by the misuse of personally identifi-
able information about them. These remedies arise from several sources:
Equifax adherence to our own privacy principles and to other industry self-
regulatory principles governing the use of personally identifiable consumer
and commercial information; adherence to the requirements of the BBB On-
line Privacy Seal; from the Federal Trade Commissions enforcement of the
unfair and deceptive practices provisions of its charter, and from compliance
with US and international laws, including the European Union Data Protec-
tion Directive.
Core Value II: Equifax supports and has launched business self-regulatory and
marketplace initiatives designed to balance the substantial societal benefits of
the free flow of information and the legitimate concerns about the privacy of
personally identifiable data.
Equifax adheres to the privacy principles and requirements of the BBBOnline Pri-
vacy Seal, the Online Privacy Association, and the Direct Marketing Associa-
tion, as well as to the information-use initiatives of the Coalition for Sensible
Public Record Access (CSPRA) and the Associated Credit Bureaus, Inc.
Equifax will only do business with entities that adhere to meaningful fair infor-
mation practices that effectively address the concepts of notice, choice, access,
security, and redress.
Equifax enlightens, enables and empowers consumers to monitor their financial
health using product solutions to address consumer privacy issues such as
identity theft and credit score disclosure.
Equifax employs and provides our customers with patent-pending identity authen-
tication technology and a wide range of other products and services that en-
able our business customers to make sound risk assessment decisions and rel-
64
evant marketing offers to consumers through the appropriate and ethical use
of personally identifiable information.
Consumers and business both expect to conduct business transactions instanta-
neously and securely. The free flow of relevant information to legitimate busi-
nesses makes this possible.
Legitimate business access to relevant consumer information is critical to achiev-
ing a number of societal benefits: thwarting identity theft, locating estate
heirs, witnesses, child support delinquents, debtors, missing children, organ
donors, etc.
Core Value III: Equifax seeks opportunities to work harmoniously with govern-
ments, consumers and businesses to forge effective solutions to the complex pri-
vacy and ethical information-use issues worldwide.
Governments first must enforce existing laws concerning use of personally identi-
fiable information and should consider enacting applicable laws only after in-
dustry self-regulatory measures fail.
If industry self-regulatory initiatives fail after being given a fair chance, Equifax
then supports government regulation that is relevant, not unduly restrictive,
and that clearly resolves the perceived imbalance.
In an e-commerce, online environment, national governments must adopt preemp-
tive measures to ensure that the transmission of information and online
transactions are seamless across geographical boundaries.
In considering privacy law and policy, governments should recognize the dif-
ferences between the impact of and the potential harm arising from the use
of personally identifiable information for financial decisions and that used for
marketing or other less serious purposes. Privacy laws should pivot not on the
source, but on the content and the use of the individual information.
Consumers must take some responsibility for educating themselves about privacy
policies, procedures, products, and technologies that enhance consumer infor-
mation protection and increase trust in transactions.
Under the privacy bargain, consumers should expect the level of information pri-
vacy protection commensurate with their demands on business, the benefits
sought and the sensitivity of the information exchanged.
Businesses that collect, maintain and use personally identifiable data have a re-
sponsibility to develop and implement an effective privacy program and to
employ ethical information practices.
The business community has a responsibility to develop products and services
that allow consumers to participate safely in the information marketplace and
to protect their own privacy.
Equifax has taken the lead by providing online solutions that enlighten, enable
and empower consumers to manage their financial health. These easily acces-
sible products allow consumers to examine their credit file, monitor changes
in it to thwart identity theft, and to obtain and understand their current cred-
it score.
Equifax will continue to develop products and services and, in concert with other
industry members and associations, develop programs designed to empower
and enable consumers and customers to better manage privacy and risk
issues.
IV. CONCLUSION
In sum, direct marketing is a societal and economic good. The process is profit-
able, efficient and benign. The concept is consumer oriented and privacy sensitive.
In closing, I want to thank you again for the opportunity to testify and to con-
gratulate the Chairman and the Subcommittee for their leadership in the privacy
arena. We look forward to working with you so that the marketplace might achieve
the synergies that can arise from a greater understanding and appreciation of the
important societal benefits of direct marketingthat is, efficient direct marketing
conducted in a self-regulatory environment that embraces effective privacy protec-
tions.
Mr. STEARNS. Thank you, Mr. Ford. And we have corrected our
we have you as Chief Privacy Officer, instead of Policy Officer, and
we are sorry.
Mr. FORD. Thank you.
Mr. STEARNS. Opening statement?
65
STATEMENT OF DEBORAH ZUCCARINI
Ms. ZUCCARINI. Good morning, Mr. Chairman and subcommittee
member Towns. Thank you for the opportunity to address the sub-
committee as it studies information use, particularly as it relates
to marketing.
My name is Deborah Zuccarini. I am Executive Vice President
and Chief Marketing Officer for Experian Marketing Solutions. My
comments today summarize key issues addressed in a much more
detailed statement I have submitted for the record.
Experian is one of the worlds leading information services pro-
viders, with more than 30,000 North American customers. Our in-
formation solutions help businesses in over 50 countries expand
their markets, make sound lending decisions, and provide the prod-
ucts and services their customers need and desire.
We have been responsible stewards of the information we collect,
maintain, and utilize for decades. Experian takes information secu-
rity and consumer privacy very seriously. Our business practices
and culture reflect our resolve to ensure information is used to
bring benefit to both businesses and consumers, while ensuring
consumer privacy is protected. A thorough discussion of our ap-
proach to privacy is included in my written statement, including
consumers choice to opt out.
There is a great deal of misunderstanding about marketing infor-
mation use, which has led to a number of popular myths about di-
rect marketing. During the next few minutes, I would like to try
to dispel a few of the most pervasive myths.
I suspect the myth most responsible for this meeting is that mar-
keting information is used to create detailed individual consumer
profiles. That simply is not true. Mr. Chairman, subcommittee
member Towns, with all due respect, data compilers dont care who
you are as an individual. From our information, marketers want to
know about the general characteristics of their overall market or
key market segments. Specific characteristics about a single indi-
vidual do not provide useful marketing insight. For that reason,
marketing data bases typically are not designed to provide a list
of one.
Our marketing information consists of estimated or modeled
data, summarized U.S. Census data, other publicly available infor-
mation, or self-reported consumer survey data. It is typically used
to reach lists of thousands of consumers with an offer of interest
to them, not to review a single record about an individual.
In the end, direct marketing using our compiled data is just ad-
vertising. Just as television advertising brings you the Super Bowl,
direct marketing advertising brings you the products, services, and
other benefits that businesses have to offer. Direct marketing al-
lows many small businesses and new market entrants to advertise
and compete, even without a Super Bowl budget.
The second common myth is that marketing information is used
for individual look-up. Experian marketing information services are
not utilized to locate, identify, or verify the identity of individuals.
In fact, our contracts prohibit the use of marketing information for
such applications. In the information industry, we refer to such in-
formation use as individual reference services. We separately offer
these services to law enforcement and other qualified users such as
66
government agencies, who use the services for child support en-
forcement, locating witnesses and victims, and preventing fraud.
However, such services are not derived from information compiled
for marketing purposes.
The third myth I would like to address today is that marketing
information is used for credit, insurance, or employment under-
writing. This is not the case. This myth arises from confusion be-
tween marketing information and credit reporting. The Fair Credit
Reporting Act governs third-party information used for credit, em-
ployment, or insurance underwriting. Use of a marketing data base
for FCRA-permissible purposes could subject that data base to all
of the requirements of the FCRA, making it unusable for mar-
keting. Therefore, Experian prohibits such use. And that is why the
urban legend about grocery store purchases being shared for insur-
ance underwriting is just thata legend.
These and other misunderstandings contribute to heightened pri-
vacy concerns. We understand and respect these concerns, and we
work diligently to ensure consumer privacy is protected. Experian
believes that marketing information use is not a privacy threat, but
it is vital to our economy.
In the privacy debate, there seems to be an assumption that such
information use somehow causes harm, yet no evidence of real
harm has been shown. Hard questions must be asked to determine
if any real or perceived harm truly outweighs the demonstrated
economic benefits of information use for marketing. A recent study
by the Information Services Executive Council estimated con-
sumers save over $1 billion annually as a result of information
sharing in the catalogue apparel industry alone. A WEFA Group
study estimated that in the year 2000, total consumer sales attrib-
utable to direct marketing would be nearly $940 billion, and that
more than 14.7 million people would be employed throughout the
U.S. economy as a result of direct marketing activities.
We believe that responsible information use for marketing is in
the best interests of both businesses and consumers. The quality of
offers today has improved significantly over the years, resulting in
greater efficiency for businesses, lower costs for consumers, less
mail, and more opportunity.
Mr. Chairman, this concludes my remarks. Thank you for invit-
ing Experian to present our view on these important issues. We
would be happy to answer any questions you or other sub-
committee members may have.
[The prepared statement of Deborah Zuccarini follows:]
PREPARED STATEMENT OF DEBORAH ZUCCARINI, EXECUTIVE VICE PRESIDENT AND
CHIEF MARKETING OFFICER, EXPERIAN MARKETING SOLUTIONS
SUMMARY
For more than 50 years Experian has been a leader in the information industry.
In fact, the companys roots date back more than 100 years to the pioneers of credit
reporting. Its success is based on sound information values that guide the develop-
ment of practices and policies that protect consumer privacy, ensure security and
provide benefit to consumers and our business clients alike.
Responsible information use today affords consumers greater choice, convenience,
and lower prices than ever before. In past decades, our economy was local. Con-
sumers lived where businesses were located. Product and service choices were lim-
ited to what was available in a consumers neighborhood, the local main street, or
67
perhaps a nearby city. Consumers learned about businesses by walking down the
street, or reading ads in the local newspaper.
Today, our economy is national. Businesses in Los Angeles and New York compete
daily for sales to consumers in Kansas. Where once there was only a single provider
of a product or service, or maybe two or three to choose from, there now are hun-
dreds. Because of responsible information sharing, those businesses can reach con-
sumers who are most likely to need their products and services. That greatly in-
creases consumer choice and promotes competition, which drives down prices.
Unfortunately, a number of myths and misunderstandings have arisen about in-
formation use for marketing purposes. Those myths and misperceptions are the
basis for many of the privacy concerns that have brought us here today. This testi-
mony attempts to dispel three of those myths:
MYTH: Marketers want to know specific information about individual
consumers. In fact, marketers dont focus on individual consumers. Instead,
they are interested in overall market characteristics.
MYTH: Marketing databases are used for individual look-up. In reality,
marketing information is used for overall market analysis. It is not used to
identify, locate, or verify the identity of individuals.
MYTH: Marketing information is used for credit, insurance or employ-
ment underwriting. The Fair Credit Reporting Act governs information use
for these purposes. Therefore, marketing information is not utilized for these
purposes.
Unintended and unforeseeable consequences of new legislative mandates based on
such myths may jeopardize todays robust, information-based economy.
Dozens of federal and state laws govern information use for marketing purposes,
along with multiple industry self-regulatory regimes. We are concerned that current
legislation may already have gone too far, and has failed to balance economic vital-
ity with legitimate consumer interests.
Legislation already strictly controls the use of sensitive information, including
credit, financial, medical and childrens data. Additional government-mandated re-
strictions on marketing information use may result in unexpected and unintended
consequences. Small businesses, relying on cost-effective direct marketing as an ad-
vertising channel, could be forced out of the marketplace, diminishing consumer
choice and opportunity. Yet, consumers would likely not benefit from any sub-
stantive privacy protections.
Experian applies stringent information values to all of its information uses
through a strict assessment process that ensures privacy concerns are addressed
and that the information use benefits both businesses and consumers.
We consider ourselves to be stewards of the information we collect, maintain and
utilize. Our responsibility is to ensure the security of the information in our care
is protected and that the privacy of consumers is maintained through appropriate,
responsible use.
Through its Consumer Advisory Council, Experian receives valuable insight and
guidance from consumer advocates, legislators, scholars and business leaders re-
garding our information services. In addition, our Corporate Privacy Council, a
group of company leaders, meets regularly to ensure Experian information services
provide consumer and business benefit while upholding the Experian Information
Values and ensuring privacy expectations are met.
Although the pervasive myths discussed above inaccurately suggest otherwise,
Experian and others in the direct marketing industry work diligently to understand
and address consumer privacy concerns. We encourage you to continue to study the
importance of information flows to our economy. We believe the current legal and
self-regulatory framework best serves consumers and businesses. The greatest con-
sumer and business benefit is achieved through consumer notice and the oppor-
tunity to opt-out.
ABOUT EXPERIAN
Experian is one of the worlds leading information solutions companies. Primarily

involved in credit reporting and direct marketing services, we also provide ref-
erences services, analytic services, and consulting solutions, helping businesses
make better, faster decisions, and efficiently reach consumers with new product and
service offerings. Our annual sales are in excess of $1.5 billion. The chart in Appen-
dix A outlines Experians history.
Experian employs more than 6,500 people in North America. Our corporate head-
quarters are in Orange, CA, where we have 1,364 employees. Other major U.S. em-
ployment centers include:
Colorado209 employees (Denver)
68
Georgia157 employees (Atlanta)
Iowa585 employees (Mt. Pleasant)
Illinois1,398 employees (Lombard, Schaumburg)
Nebraska1,218 employees (Lincoln, Seward)
New Jersey79 employees (Parsippany)
New York220 employees (Albany, New York, Rye)
Texas802 employees (Allen, McKinney)
Vermont263 employees (Rutland)
EXPERIANS PRIMARY BUSINESS AREAS
Experian has six key business areas: direct marketing services, credit reporting,
automotive information services, customer relationship management, electronic com-
merce services and individual reference services.
Direct marketing services
Experian direct marketing services help bring businesses and their customers to-
gether. The company touches nearly one in four pieces of mail delivered by the U.S.
Postal Service. But Experian direct marketing services extend beyond targeted mail-
ing. Businesses rely on Experian to help them better understand their markets and
the characteristics of the people who do business with them. Understanding the
marketplace makes possible faster, more efficient product development and delivery,
better retail outlet and service center locations, improved customer service, more
cost-effective advertising and lower costs for consumers.
Each year, Experian ships 1.7 billion pieces of mail from its processing centers
and provides address information for more than 20 billion promotional mail pieces
delivered to more than 100 million households. Those offers present consumers with
products and services from companies about which they may otherwise never have
known. By identifying the characteristics of consumers likely to be interested in cer-
tain kinds of products and services, Experian helps marketers more efficiently reach
consumers who are most likely to be interested in a business products or services.
Credit reporting
Experian and the companies from which it was formed have provided credit re-
porting services for more than 100 years. J.E.R. Chilton began credit reporting in
Dallas, TX in 1897 by taking notes from local merchants in a little red book. Dec-
ades later, the TRW Corporation pioneered computerization of the credit reporting
process, leading to a national credit reporting system. In 1996, TRW sold its credit
reporting unit, which became Experian.
Today, hundreds of millions of credit reports are provided to lenders annually.
The ability of creditors to check a persons credit references in an instant enables
them to make rapid, sound, and objective lending decisions. That ability helps con-
sumers get the credit they need and deserve faster and cheaper than anywhere else
in the world. Enabling lenders to make objective, safe, secure loans and minimize
other credit-related losses, while providing consumers instant access to credit, has
contributed greatly to the robust U.S. economy.
Customer relationship management
Business success is built upon positive relationships with customers. Relation-
ships are built on information. Experian helps businesses establish and develop
long-lasting customer relationships through responsible information use. We help
businesses get a clearer picture of their customers across multiple business units
and market segments. We help companies understand why certain kinds of people
shop with them and what the customer needs. With that clearer understanding,
Experian then is able to provide information services that help businesses initiate
relationships with new customers, assist the businesses in developing new, desirable
products and services and aid in providing pleasant shopping and effective customer
service. The result is a better shopping experience for consumers and more profit-
able operation for businesses.
Automotive Information Services
Experian Automotive Information Services specialize in the collection and dis-
semination of vehicular data from each of the 51 United States jurisdictions. The
information is utilized to provide valuable services to auto dealers, manufacturers,
consumers and advocacy organizations, advertising agencies and internet informa-
tion sites, law enforcement and tollway authorities. Detailed vehicle history reports
enable consumers to make informed used-auto purchasing decisions. Manufacturers
rely on our services to manage recalls and conduct market analysis to manage prod-
uct supply and improve service.
69
Electronic commerce services
Experians electronic commerce division helps businesses establish a presence in
the electronic marketplace, develop relationships with online consumers and ensure
consumers and businesses enjoy positive, safe transactions. Our e-commerce division
focuses on both consumers and the businesses that reach them with patented deliv-
ery systems and best-in-the-industry security processes and systems.
For our business partners, we verify, authenticate and enhance identity informa-
tion about consumers and businesses. With enhanced authentication, clients reduce
fraud by making confident transaction decisions in real time.
For consumers, we offer a range of personal information solutions ranging from
our online credit report with real-time dispute registration, to our vehicle history
reporta must for used car purchases. We offer a subscription service for unlimited
access to credit report and credit score information along with the tools required to
better understand them. We also offer a property reportto better understand the
value of your homeor prospective home.
Individual reference services
Our reference services help people, businesses, non-profit organizations, govern-
ment agencies, law enforcement, and other organizations identify, locate, and verify
the identity of individuals. The most recognized individual reference services are the
telephone book and directory assistanceservices you use every day. They usually
include only names, addresses and telephone numbers.
More sophisticated reference services may include information about whether you
own a home or rent an apartment, how long you have lived in the same location,
and if there are additional household members.
Sensitive identifying information such as your Social Security number, drivers li-
cense number, and date of birth is included in some reference services. These serv-
ices, however, are limited to use by law enforcement, government agencies, and
other organizations with a legitimate and appropriate need for such information.
THE BENEFITS OF INFORMATION USE
Because of the information services provided by Experian and its counterparts,

the United States has the most robust economy in the world, and its consumers
have greater choice and receive greater value than consumers anywhere else in the
world.
Consumer benefits of information use
Direct marketing: Direct marketing services increase choice and opportunity
and reduce costs. Each year, Experian ships 1.7 billion pieces of mail from its proc-
essing centers and provides address information for more than 20 billion pro-
motional mail pieces delivered to more than 100 million households. Those offers
present consumers with products and services from companies about which they
may otherwise never have known. By identifying the characteristics of consumers
likely to be interested in certain kinds of products and services, Experian helps mar-
keters reduce unwanted mail and send only offers that consumers are likely to want
or need. But targeted mail processing is only one of many direct marketing services
provided by Experian and its industry associates.
Market analysis services help businesses identify the common characteristics of
their customers. A richer understanding of their customer base helps businesses bet-
ter plan media campaigns, determine retail site location, develop new product offer-
ings, better position their brands, have a clearer understanding of their customers
service needs, and reach new customers. For consumers, the result is lower product
cost, better customer service, more convenient shopping, faster delivery, reduced un-
wanted mail and exposure to useful new products and services.
An April 2001 study by the Information Services Executive Council found restric-
tions on marketing information use would cost catalog and Internet apparel shop-
pers $1 billion annually.1 According to the study, that cost would be shared dis-
proportionately by inner city and rural catalog shoppers. Inner city neighborhoods
generally are under-served by traditional retail stores, and rural consumers often
live long distances from the nearest mall or retail center. As a result, these two
groups are more reliant on catalog or Internet shopping alternatives.
Similarly, a December 2000 study by Ernst & Young found members of the Finan-
cial Services Roundtable (FSR)a group of 90 of the nations top banking, insurance
and securities firmssave approximately $1 billion a year by using targeted mar-
keting. Much of that savings is passed directly on to consumers.2
FSR members report that they would send out about three to six times more di-
rect marketing if they could not use information sharing for targeted marketing.
70
Targeted marketing results in real savings for financial institutions, some or all of
which will be passed forward to customers in price reductions, the study said.
According to the study, FSR customer households annually save $17 billion and
320 million hours as the result of information sharing among affiliates and third
parties.
Credit reporting: The United States unique credit reporting system dramati-
cally increases American consumers choices and opportunities for financial services.
Because of the U.S. automated credit reporting system, American consumers can ob-
tain credit and secure other financial services at lower costs from a larger number
of providers than anywhere else in the world.
By comparison, economist Walter Kitchenman said of nations without an open
credit reporting system, As a result, financial services are provided by far fewer
institutionsone-tenth the number serving U.S. customers, despite the fact that the
pan-European market has almost one and one-half times as many households. 3 He
added, consumer lending is not common, and where it exists, it is concentrated
among a few major banks in each country, each of which has its own large data-
bases. In fact, European consumers, although they outnumber their U.S. counter-
parts, have access to one-third less credit as a percentage of gross domestic prod-
uct.
The open U.S. credit reporting system provides a foundation for lender confidence,
increasing the availability of loans, reducing the cost of credit and increasing com-
petition for customers, all of which benefit the U.S. consumer.
Individual reference services: Often the benefits of individual reference serv-
ices, and the services themselves are taken for granted. Yet they are used everyday.
People, businesses, law enforcement and other organizations utilize individual ref-
erence services routinely to locate, identify and contact people for a variety of very
positive reasons. Basic reference services, such as a telephone book, are available
to almost anyone. Experian separately provides more sophisticated services only to
law enforcement or other qualified users. A few of the users of individual reference
services and how such services are utilized are listed below.
You: through the telephone book or directory assistance to find a telephone num-
ber or an address to send a thank you note or holiday greeting.
Lenders, retailers, e-tailers: to verify the identities of potential customers and
protect you from fraud.
Law enforcement agencies: to locate crime witnesses and apprehend criminal
suspects.
Child support agencies: to locate parents who are behind in their child support
payments.
Government agencies: to find missing pension fund beneficiaries and heirs.
Alumni Associations: to contact recent graduates and send event notices to cur-
rent members.
Businesses: for product recalls and product notices.
The information included in individual reference services can range from just
names, addresses and telephone numbers, to more sensitive identifying information
including dates of birth, Social Security numbers and drivers license numbers. Ac-
cess to certain types of reference information is carefully monitored and controlled.
For instance, an individual only is allowed access to published telephone book infor-
mation. Law enforcement agencies, however, can access more sensitive data for use
in criminal investigations.
During 1998, the FBI made 53,000 inquiries into commercial individual reference
services. According to then FBI Director Louis Freeh, utilization of these services
aided in the arrest of 393 fugitives, identification of more than $37 million in
seizable assets, locating 1,966 wanted individuals and location of 3,209 witnesses
wanted for questioning.4
Overall economic benefits of information use
Experian information services promote competition in the marketplace. Informa-
tion sharing for target marketing and credit reporting opens the door for small,
emerging businesses to compete with larger, established companies. It levels the
playing field by making the cost of entry affordable to everyone.
Information sharing allows new market entrants, which cannot afford mass mar-
ket advertising and lack the customer lists of their well-established competitors, the
ability to reach those people most likely to be interested, said Fred H. Cate and
Michael E. Staten in their paper, Putting People First: Consumer Benefits of Infor-
mation-Sharing.5
According to the Ernst & Young study, FSR members save about $1 billion per
year through targeted marketing based on shared informationsavings that can
then be passed forward to customers. Almost all of the survey respondents said that
71
if they could not use targeted marketing, they would resort to mass marketing in-
stead, while a few said that they may eliminate direct marketing completely.6
The implication is that large companies could bear the cost of mass marketing
ostensibly unfettered distribution to every U.S. consumer. For small businesses, it
means being forced out of the marketplace. With reduced competition, consumers
would be faced with higher prices and less choice. The French financial banking in-
dustry provides a good example.
In a 1999 study, Walter Kitchenman said:
In France, for example, the EU country with the strictest financial privacy
laws, seven banks control more than 96 percent of banking assets. The seven
dominant French banks, each with assets of over $100 billion, already own ex-
tensive databasesand dont need to share customer information with anyone.
The fact that this system restrains innovation, hurts customer choice, and in-
creases price is not a great concern to those banks because the same system
also restrains competition and makes it easier to hold customers and capital
captive.7
As he points out, while solicitations may sometimes seem annoying to consumers,
the solicitations in fact represent a free flow of information that promotes competi-
tion among businesses of all sizes, giving U.S. consumers far more choice and oppor-
tunity at significantly lower costs.
The direct marketing industry also is an important source of employment and a
significant part of the overall consumer market. A recent WEFA Group study esti-
mated that in the year 2000, total consumer sales attributable to direct marketing
would be nearly $940 billion. The same study estimated more than 14.7 million peo-
ple would be employed throughout the U.S. economy as a result of direct marketing
activities.8
Building relationships between businesses and consumers
It has been said that credit reporting is a secret ingredient of the U.S. economys
resilience. The availability of automated, nationwide credit histories enable lenders
to make objective, sound lending decisions, reducing risk, attracting investment and
strengthening the economy.9 As a result, U.S. consumers benefit from widely avail-
able credit at lower costs than anywhere else in the world. Some estimate that be-
cause of the U.S. credit reporting system, consumers in this country save as much
as $80 billion a year on mortgage loans alone.10 But the robust nature of the U.S.
economy does not rest only with information use for credit reporting purposes.
Direct, or target, marketing results in significant savings for businesses each
year. Those savings are passed on to consumers. An Ernst & Young study indicated
members of The Financial Services Roundtable (FSR) would have to send out three
to six times more marketing offers if they could not use information sharing for tar-
geted marketing purposes. The result would be far greater costs, which would be
passed on to consumers, not to mention increased volumes of mail in their mail-
boxes.11
Restricting information use also threatens the backbone of the U.S. economy:
small businesses. Today, small businesses rely on the availability of information to
establish and expand their markets. They could not compete with corporate giants
if they were unable to utilize target marketing to reach consumers who otherwise
would not even know the business existed. Experian provides marketing solutions
to almost 4,000 small businesses across the country.
In a July 2000 paper, Fred Cate and Michael Staten presented very clearly the
danger to our economy of interfering with information sharing:
Interfering with the availability of that information hurts both consumers,
who miss out on opportunities, and businesses, who face higher costs to reach
consumers, but such interference imposes an especially heavy burden on small
companies, which cannot afford mass market advertising and lack the customer
lists of their well-established competitors. Open access to third-party informa-
tion and the responsible use of that information for target marketing is essen-
tial to leveling the playing field for new market entrants.12
The ISEC study reached the same conclusion when looking at an opt-in approach
to marketing information as opposed to the current opt-out standard. Implementa-
tion of data use restrictions would drive up total costs to consumers from 3.5 to 11
percent. The result would be devastating to small firms and new market entrants.
According to the study, Since marketing costs will likely increase if external opt-
in restrictions are put in place, some retailers will be forced to exit the market and
other, new companies will be deterred form entry. With a smaller marketplace, com-
petition suffers, giving consumers less choice and higher costs when distance shop-
ping. 13
72
It is easy to overlook the impact of information use on our local, small businesses.
We too often take for granted the local food store, pharmacy or mens clothing store.
In todays economy, they are competing not only with giant supermarkets, drug out-
let stores and shopping malls, but also with online services that may deliver to your
door. In such an environment, information sharing is critical for small businesses
just to maintain a storefront in the community.
Detecting and preventing fraud
Experians information services are a key resource in providing assistance to busi-
nesses, consumers and law enforcement to detect, stop and recover from fraudboth
online and offline. Consumer information maintained under Experians stewardship
is fueling new, state-of-the-art online verification and authentication systems, in-
cluding digital signatures. The new technology, used responsibly, is critical to the
continuing growth of e-commerce.
Individual reference services provided by Experian help law enforcement identify
and locate suspects and perpetrators of fraud, speeding arrest and prosecution.
Recently, Experian launched the National Fraud Database, the nations first re-
pository of known fraudulent activity. Participants include representatives from a
variety of industries, such as financial services, insurance, retailing and tele-
communications. Members contribute known fraud data to Experian, which then en-
ters it into the database. A National Fraud Database Report will be provided to a
participating lender, for example, when a loan application is submitted. Information
in the report matching a previously verified fraud case will help lenders prevent
fraud from occurring at the point of origin.
Participation in this ground breaking initiative has been offered to Experians
competitorsTrans Union and Equifaxas a way of solidifying the industrys re-
solve to fight fraud and identity theft.
HELPING BUSINESSES BUILD CUSTOMER RELATIONSHIPS
Why marketing information is important to businesses

Businesses rely on Experian to provide accurate, reliable information services that
help them better understand their markets and identify, contact and build profitable
relationships with new customers. Experians information solutions help businesses
better understand their markets and more efficiently reach consumers likely to be
interested in the products and services the businesses offer. That reduces marketing
costs and increases new customer satisfaction. Customer analysis and resultant
market segmentation also enables business to tailor their advertising outlets to
reach interested consumers, better position their brands, improve customer service,
and better locate retail outlets and delivery centers. The result is greater efficiency,
lower costs passed on to consumers, greater customer satisfaction and increased cus-
tomer loyalty, all of which make a business more successful.
Some myths about marketing information use
There are a number of myths and misperceptions about direct marketing and the
information in direct marketing databases. Many of these myths appear to drive the
debate about increasing restrictions on marketing information to protect consumer
privacy. Here are a few of those myths and the facts that will help dispel them.
1. MYTH: Marketers want to know specific information about individual
consumers. Direct marketing is simply another form of advertising, not unlike tele-
vision ads aired during the Super Bowl. Like Super Bowl advertisers, direct mar-
keting advertising are attempting to reach a large group of individuals who have
certain demographic characteristics that indicate they may be interested in pur-
chasing their products or services. Unlike Super Bowl advertisers that have millions
of dollars to spend on promotions, direct marketers often are small businesses, or
new market entrants without large budgets. Therefore, they need more efficient
ways to advertise to their marketplace.
Marketing databases are not designed to provide a list-of-one. Instead, busi-
nesses want to know about the characteristics of their overall market. The consumer
characteristics of a single individual do not provide useful market insight. Once a
market is better understood, a business may want to send an offer (whether offline
or online) to hundreds, thousands, or even tens-of-thousands of consumers. For that
they may receive a mailing list of names and addresses, but again, the business is
not interested in the specific information about a single individual.
Further, information in most marketing databases is summarized at the house-
hold, not individual level. Rather than analyzing information about specific individ-
uals, businesses typically consider household-level information. Much of that infor-
mation is estimated or modeled using U.S. Census data or consumer survey data.
Estimated age and income ranges and general interests are examples. For more in-
73
formation about the types of information utilized for direct marketing and informa-
tion sources, see Appendix B.
2. MYTH: Marketing databases are used for individual look-up. Experian
marketing information services are not utilized to locate, identify or verify the iden-
tity of individuals. Our contracts prohibit the use of marketing information for such
applications.
In the information industry, we refer to such information use as individual ref-
erence services. Appropriate use of these services is ensured through a strict self-
regulatory code and related industry practices.
Although you dont realize it, you probably use reference services every day. The
most common is the telephone book.
Experian separately offers more sophisticated services to law enforcement and
other qualified users, such as government agencies, who use the services for child
support enforcement, locating witnesses and victims, and preventing fraud.
However, such services are not derived from information compiled for marketing
purposes.
Marketing databases are used for overall market analysis and identifying house-
holds with consumers who are most likely interested in purchasing a product or
service. The information in marketing databases generally are not intended to be
used to locate, identify or verify the identity of individuals and is not used in that
manner. Again, marketing databases are not designed to return a list-of-one.
3. MYTH: Marketing information is used for credit, insurance or employ-
ment underwriting. The Fair Credit Reporting Act governs third-party informa-
tion used for credit, employment or insurance underwriting. Use of a marketing
database for FCRA permissible purposes would subject the database to all of the
requirements of the FCRA. The database then could be used only for FCRA permis-
sible purposes. It could no longer be used for marketing.
For that reason, Experians marketing database and credit reporting database
structures are entirely different and distinct.
And its why the legend about grocery store purchases being shared for insurance
underwriting is just thata legend.
COMPILING AND UTILIZING INFORMATION FOR MARKETING PURPOSES
Experian is a data aggregator. Our company collects and maintains information

for marketing purposes and provides information solutions enabling marketers to ef-
ficiently reach consumers who are interested in purchasing their products and serv-
ices. We are committed to providing information solutions that benefit both our
business clients and consumers. We also recognize and take very seriously our re-
sponsibility to protect consumer privacy.
We must ensure the security of the information we collect and maintain, and en-
sure that it is used appropriately. Experian takes a values approach to privacy,
which is described in greater detail below.
We provide consumers with notice regarding our information collection and use
and choice regarding that information collection and use including an opportunity
to opt-out of information collection and use by Experian.
To opt-out of Experian marketing information use, consumers need only call 1 800
407 1088.
Experian also is a member of the Direct Marketing Association (DMA). We honor
the DMA mailing and telephone preference lists.
The following sections describe Experians role as a data compiler and our ap-
proach to addressing privacy issues.
Experians role as a data compiler
Experian marketing databases contain information about more than 98 percent of
U.S. households. The information is utilized to help businesses analyze their overall
markets and market segments and to contact consumers who will most likely be in-
terested in the products and services they offer.
Experian maintains databases for two distinct purposes: credit reporting and di-
rect marketing. The data for those uses is kept separate, both physically and elec-
tronically. Experians credit reporting database is physically located near Dallas,
TX. Its marketing databases are in Schaumburg, IL. The information is maintained
and utilized for appropriate purposes and is not combined or commingled except as
allowed by law.
The information Experian collects
The information Experian collects for direct marketing purposes comes from a
number of sources, first and foremost directly from consumers. Warranty cards, sur-
veys, magazine subscriptions and sweepstakes entries all are provided by consumers
74
and are utilized for direct marketing services. Other sources include non-personally
identifiable United States Census information, public records and telephone direc-
tory information. Experian direct marketing information includes:
Census information (median or percentage values based on census track)
Lifestyle information (reported by consumers)
Interests, hobbies, activities
Public records/telephone directory information
For more information about the types of information utilized for direct marketing
and information sources, see Appendix B.
Ensuring appropriate information use
Experian found that rigid rules directing information use are quickly outdated by
todays rapidly evolving technology and constantly changing consumer and business
needs and expectations. For more than a decade Experian has taken a values ap-
proach to information use. Our five global information values ensure Experian infor-
mation services provide value and benefit to both businesses and consumers while
still enabling adaptation to cultural and regulatory changes and technological ad-
vances.
The Experian global information values are:
Balance
Experian strives to balance the interests of consumers with the business needs
of customers to ensure both receive benefit from information use.
Accuracy
Experian strives to ensure the information it collects and maintains is as accurate
and up-to-date as possible and that the information is appropriate for its intended
use.
Security
Experian protects the information it maintains from unauthorized access or alter-
ation.
Integrity
Experian complies with all laws and applicable industry codes and operates its
businesses in accordance with these information values.
Communication
Experian communicates openly about the information it maintains, how it is used
and seeks to inform consumers of their rights regarding the use of information.
Every Experian information service undergoes a formal Information Values As-
sessment before it is approved. The assessment ensures the service not only meets
all legal and self-regulatory requirements, but that it also meets security standards,
addresses consumer privacy concerns and provides value and benefit to both busi-
nesses and consumers.
Teams within each Experian business unit is tasked with ensuring new informa-
tion services undergo values assessments. These individuals and their teams work
integrally with Experian sales staff and marketing units to ensure the Information
Values are built into all of Experians products and services.
In addition, Experian seeks input from consumer groups, consumer advocates and
its business partners regarding information use to further ensure the services it pro-
vides incorporate appropriate security and privacy provisions and provide benefit to
both consumers and its business clients.
Our Consumer Advisory Council was among the first organizations of its kind.
Composed of consumer advocates, legislators, scholars and business leaders, the
Council provides valuable insight and guidance regarding Experian information
services. Consumer Advisory Council opinions and suggestions help us provide infor-
mation services that provide value and benefit to both businesses and consumers
while effectively addressing privacy issues.
The Experian Corporate Privacy Council is comprised of senior-level managers. Its
members meet regularly to discuss and address privacy issues and to ensure
Experian information services uphold the Experian information values and exceed
privacy expectations.
Experian is committed to providing consumers with notice and choice regarding
its information services. Whenever Experian direct marketing services are utilized,
consumers must be given notice of the information use and provided with an oppor-
tunity to opt-out of that information use. To opt-out of Experian marketing informa-
tion use, consumers need only call 1 800 407 1088. We comply strictly with the Di-
75
rect Marketing Association (DMA) Privacy Promise and honor the DMA opt-out
lists.
Consumer education
We produce a number of education materials that describe how information is col-
lected and utilized, our Information Values and information use policies and con-
sumer choices regarding information collection and use. All of the materials are pro-
vided free to consumers through many partnerships, among them:
State attorneys general
State and federal legislators offices
State and federal government agencies
The United States Army
The United States Navy
Offices of consumer affairs
Consumer organizations
High school and university educators
Student organizations
Divorce attorneys
Marriage counselors
Realtors
Lenders
The media
There are many others. Experian is committed to reaching consumers with the
information they need to understand how they can be actively involved in our infor-
mation economy.
We have delivered to consumers more than 1 million copies of our various Reports
on series. Our four-part Reports on Direct Marketing describe how the direct mar-
keting process works, what information Experian collects and how it is used, and
provides details on the choices consumers have and what they need to do if they
choose to opt-out.
Hundreds-of-thousands of Experians booklet 12 Common Questions about Credit
Reporting and Direct Marketing have been distributed directly to consumers and
through our many partnerships. The booklet is printed in both English and Spanish
versions.
Much of the consumer education material is available online. Experian also of-
fered the first online advice column about information use, called Ask Max. During
the past four years, more than 50,000 questions have been received from consumers,
and more than 100 columns have been published. Most column responses address
credit reporting issues because few consumers have submitted questions about di-
rect marketing.
Access
Marketing databases often are erroneously compared to credit reporting data-
bases. However, the data, data uses and structures of marketing databases and
those of credit reporting databases are entirely different. Comparison is, to use a
cliche , apples and oranges. To suggest an access and dispute process for marketing
databases like that for credit reporting is unrealistic.
The information in a credit reporting database is used to make critical lending,
insurance, housing and employment decisions about specific individuals. Therefore,
the data must be as precise as possible. Because the information is specific to the
individual and of such a crucial nature, consumers need to know and have the abil-
ity to play a role in ensuring the accuracy of the information. Information service
providers store data and manage its use. The source of the information generally
must correct any inaccuracies and update that information with the credit reporting
agency, which essentially serves as a library.
Marketing databases also serve, in a sense, as a library. But the nature of mar-
keting databases makes such a disclosure and dispute process very impractical, if
not impossible.
Unlike lenders, who need to know precise details about an individuals repayment
history, marketers need only to understand the general characteristics of their over-
all markets. By identifying those characteristics, businesses are better able to reach
consumers who will most likely be interested in purchasing the products and serv-
ices they offer. Because marketers need only to contact a broad group of consumers
who may be interested in a product or service, the information in marketing data-
bases is not precise. In fact much of the information in marketing databases is de-
rived from computer models, is estimated or is presented in ranges.
Consumers would expect a level of precision and accuracy that simply is not
present, which would make a dispute process impractical, if not impossible. Because
76
most information in a marketing database is of this nature, such a disclosure would
be of little, if any benefit to the consumer.
While providing a disclosure would be of little benefit, it likely would pose a great-
er threat to privacy than currently exists. The nature of marketing databases would
limit identification authentication largely to name and address, which is widely
available in public sources, such as telephone directories. Access requirements,
therefore, should be constructed by balancing the benefits to consumers against the
risks to them and the costs to companies that hold the data.
Requiring access would require information aggregators like Experian to create
the very kind of database you are most concerned about. In order to provide access,
a marketing database would have to include detailed, personal information that
could be compiled and provided easily and quickly in highly detailed individual dos-
siers. This is the very thing we want to avoid.
Allowing access to marketing databases would be enormously expensive. In fact,
it would require retooling of an entire industry. Existing database architecture
would have to be redesigned and disparate databases linked together to form name-
driven profiles. Large customer service staffs would have to be hired and stringent
security safeguards put in place. While that expense is justified and necessary with
regard to information governed by the Fair Credit Reporting Act, it is of question-
able value for data collected only for marketing purposes.
A consumers current ability to opt-out of having their name shared for direct
marketing purposes satisfies the underlying concern about privacy without imposing
undue and unnecessary costs to businesses and risks to consumers that would result
from access requirements.
The current regulatory environment
A significant body of legislation and self-regulatory regimes already govern the
use of consumer information. All information collected and utilized by Experian is
governed either by specific legislation or industry self-regulatory guidelines. The fol-
lowing lists describe the statutory and self-regulatory regimes currently governing
information use for marketing and credit reporting purposes, for both online and off-
line applications.
Regulatory requirements governing marketing information:
Drivers Privacy Protection Act (DPPA)
Fair Credit Reporting Act (FCRA; for pre-approved credit offers)
Childrens Online Privacy Protection Act (COPPA)
Telephone Consumer Protection Act and Telemarketing Sales Rule
State do-not-call requirements
Census Confidentiality Act
State Voter Records Acts
Gramm-Leach-Bliley Act
Self-regulatory standards for marketing information:
Direct Marketing Association (DMA) Privacy Promise
DMA Telephone Preference Service
DMA Mail Preference Service
DMA Electronic Mail Preference Service
DMA Ethical Guidelines
Experian Information Values and associated practices
Regulatory requirements for credit information:
FCRA
Equal Credit Opportunity Act (ECOA; relates to risk score development)
Fair Debt Collection Practices Act (FDCPA)
Gramm-Leach-Bliley Act
Experian supports the House Commerce Subcommittees efforts to thoroughly in-
vestigate the issue of consumer privacy before concluding that more legislation is
necessary. The Subcommittee is wise to focus on what gaps exist, if any, and wheth-
er there is a need for new regulatory mandates or enforcement regimes.
The combination of existing statutory requirements and self-regulatory guidelines
of marketing information already is substantial. Experian is constantly working
with its trade groups to strengthen and improve existing self-regulatory standards.
For these reasons, Experian opposes further federal regulation of marketing and ref-
erence service information at this time.
The debate about privacy is incomplete and evolving. We do not yet fully under-
stand the importance of information flows to our robust economy. Enacting legisla-
tion based on incomplete knowledge could result in additional, negative, unintended
consequences to our economy and greater consumer inconvenience with no meaning-
ful privacy protection.
77
The above listed regulations and self-regulatory regimes must be allowed time to
work and the impact of their restrictions on information use studied. The affects of
the safeguards implemented by these laws and of the recently enacted Gramm-
Leach-Bliley Act are as yet unknown. It is essential that we allow some time for
these new laws to bear out any unforeseen or unintended consequences.
To reiterate, Experian strongly believes existing law, industry self-regulation and
market responses are providing more than adequate consumer protection.
In fact, we are concerned that current legislation may already have gone too far,
and has failed to balance economic vitality against legitimate consumer interests.
The scale is often tilted by the assumption that direct marketing somehow causes
harm. A number of studies, including a report by the Federal Trade Commission,14
have found no evidence of real harm resulting from marketing information use.
Hard questions should be asked of those who claim consumers have suffered real
harm. How do they define harm? Where are the examples of real harm? Is there
truly harm, or are they erroneously equating harm with annoyance?
New legislation should be considered only if specific consumer harm can be dem-
onstrated and must be implemented only in a manner that carefully balances in-
tended consumer privacy protection against the economic benefit of accessible mar-
keting information.
CONCLUSION
Thank you for the opportunity to submit these remarks on behalf of Experian. I
hope this document helps dispel a few of the myths about marketing information
use, addresses important privacy concerns and clarifies the importance of informa-
tion use to our robust economy. I look forward to future opportunities to work with
the subcommittee as it studies privacy and information use.
Appendix AExperian History

Year Event
1932 .......... Michigan Merchants Co., later known as Credit Data Corp., is formed to provide credit-reporting services.
1966 .......... Metromedia acquires lettershop capabilities and begins operation of its direct marketing division called
Metromail.
1969 .......... Conglomerate TRW buys Credit Data Corp.
1979 .......... Metromedia buys Marketing Electronic Corp. to provide list enhancement services within Metromail.
1981 .......... Direct Marketing Technology, Inc. is founded in the Chicago area.
1987 .......... TRW buys Executive Service Co. to expand into the direct marketing industry.
Metromail is acquired by R.R. Donnelly & Sons Co., the worlds largest printer.
1989 .......... TRW buys Chilton Corp., a credit-reporting company founded in 1897.
1996 .......... TRW sells Information Systems & Services unit to a group of investors.
Experian name and logo are introduced.
Group of investors sells Experian to The Great Universal Stores P.L.C., a British conglomerate.
1997 .......... CCN/MDS is integrated with Experian North America.
Experian buys Direct Tech, a leading provider of list processing, database marketing, and consulting, analyt-
ical and information services.
Direct Tech buys Brigar Computer Services.
Metromail buys Saxe Inc., Marketing Information Technologies, and Atlantes Corp.
1998 .......... Experian buys Metromail, a leading provider of database marketing, direct marketing, mail processing and
distribution, and reference products and services.
2001 .......... Experian buys Exactis, the global leader in multi-platform interactive marketing.
78
79
80
81
Notes
1 Michael A. Turner, Executive Director, Information Services Executive Council, The Impact
of Data Restrictions On Consumer Distance Shopping, 2001.
2 Ernst & Young LLP, Customer Benefits from Current Information Sharing by Financial Serv-
ices Companies, conducted for The Financial Services Roundtable, December 2000.
3 Walter F. Kitchenman, Senior Analyst, Commercial Banking, The Tower Group, Summary
of Tower Group Studies Related to European System of Opt-In, 1999
4 Fred H. Cate, Professor of Law and Director of the Information Law and Commerce Insti-
tute, Indiana University School of Law, Michael E. Staten, distinguished Professor and Director
of the Credit Research Center, The Robert Emmett McDonough School of Business, Georgetown
University, Putting People First: Consumer Benefits of Information-Sharing: Summary, Decem-
ber 2000
University, Putting People First: Consumer Benefits of Information-Sharing, December 2000
6 Ernst & Young LLP, Customer Benefits from Current Information Sharing by Financial Serv-
ices Companies, conducted for The Financial Services Roundtable, December 2000.
7 Walter F. Kitchenman, Senior Analyst, Commercial Banking, The Tower Group, Summary
of Tower Group Studies Related to European System of Opt-In, 1999.
8 WEFA Group, 2000 Economic Impact: U.S. Executive Marketing Today Executive Summary,
http://www.the-dma.org/library/publications/libres-ecoimp1b1a.shtml
University, The Value of Information-Sharing, July 2000.
10 Walter F. Kitchenman, Senior Analyst, Commercial Banking, The Tower Group, US Credit
Reporting: Perceived Benefits Outweigh Privacy Concerns, January 1999
11 Ernst & Young LLP, Customer Benefits from Current Information Sharing by Financial
Services Companies, conducted for The Financial Services Roundtable, December 2000.
University, The Value of Information-Sharing, July 2000.
13 Michael A. Turner, Executive Director, Information Services Executive Council, The Impact
of Data Restrictions On Consumer Distance Shopping, 2001.
14 Paul H. Rubin and Thomas M Lenard, The Progress & Freedom Foundation, Privacy and
the Commercial use of Personal Information, July 2001.
Mr. STEARNS. Thank you. Ms. Zuccarini, I have a question. You

talk about these myths that you mentioned. You have a national
fraud data base, though, right?
Ms. ZUCCARINI. Yes, we do.
Mr. STEARNS. And why was it established? And isnt it oriented
toward individuals?
Ms. ZUCCARINI. It is, but that is not a marketing use. It is not
for marketing purposes.
Mr. STEARNS. Why was it established?
Ms. ZUCCARINI. To help prevent identity fraud, and detect fraud.
Mr. STEARNS. And who gets access to that?
Ms. ZUCCARINI. That would be businesses that have a need for
that. That is not a marketing purpose, and covered under the
Mr. STEARNS. So a business could subscribe to this? Any business
could subscribe to this fraud data base?
Ms. ZUCCARINI. I am not positive of the answer to that. I would
have to get back to you. It is in a different division.
Mr. STEARNS. Okay. When you go on the Internet, you see these
web sites that say, we go and get credit information. We go to pub-
lic courthouses, and we go across the board, and find all this infor-
mation, and we compile it. Does your company do that?
Ms. ZUCCARINI. We do that in a separate division.
Mr. STEARNS. Okay. And then you provide this information for
law enforcement, government agencies, and you say other organi-
zations with legitimate and appropriate need for such information,
I think you are indicating.
Ms. ZUCCARINI. Other qualified users, such as
82
Mr. STEARNS. Yes. What other organizations would have access

besides law enforcement, government agencies, and how would
they get it?
Ms. ZUCCARINI. It would have to be a purpose that would be cov-
ered under the Fair Credit, or the exemptions to the Fair Credit
Reporting Act. In terms of examples of users, I believe I gave some
in my written testimony: child support enforcement, witness look-
up and protection, those types of things.
Mr. STEARNS. In your testimony, you indicated that Experian has
found that rigid rules directing information use are quickly out-
dated by todays rapidly evolving technology and constantly chang-
ing consumer and business needs and expectations. You might just
help us with what you mean by that, how it has changed, and you
know, what impact that would have, from our standpoint as a leg-
islator.
Ms. ZUCCARINI. Experian has five core information values that
we live by and we practice within our business: balance, accuracy,
security, integrity, and communication. We have privacy compli-
ance teams within each business unit that are responsible for en-
forcing these values and the written policies that support them.
By ensuring that our entire organization is aware of these five
valuesin addition to written policies and the officers that are re-
sponsible for making sure that they are employedthat gives us
flexibility in making sure that we are recognizing whether tech-
nologies are advancing, or there are different needs to protect cer-
tain types of sensitive data, for example.
Mr. STEARNS. Okay. Ms. Barrett, you make the point that e-
commerce has increased consumer product availability. It has also
made consumer recognition more difficult. What do you mean by
that?
Ms. BARRETT. Well, I will go back to the example I used earlier
of the store owner of 100 years ago, where he knew his customer
because he walked in. Today, many customers buy from the Inter-
net, they buy over the telephone, or they order through a catalogue,
and the merchant has no opportunity to interact with that cus-
tomer beyond the purchase.
That makes it much more difficult for a company to really under-
stand, beyond what a customer bought, who that customer is, what
they are interested in, what other products and services might be
of likely interest.
Mr. STEARNS. Going back to this web site, where you can pay $35
and find this information that Mr. Doyle talked aboutyou know,
if a corporation came to you and said, we want to buy this informa-
tion, oryou would give him this information, he might put it on
the web site. How do you protect the consumer whose information
you have?
Ms. BARRETT. We have a variety of products that are designed
and developed for very specific business purposes. We do not sell
data in bulk to anyone for any purpose. Our contracts limit what
the data can be used for by the purchaser, and we monitor that to
assure that those contractual restrictions are enforced.
Mr. STEARNS. Mr. Ford, you highlight that the harm of using
personal information practices for marketing is minimal. Can you
describe the harm that such information, I guesshow can it be
83
misused, or how do you go to protect so that the marketing infor-

mation would be misused? Did that make sense?
Mr. FORD. Let me make sure I understand your question, Mr.
Stearns. Are you asking me to define some ways in which mar-
keting data might be misused?
Mr. STEARNS. You are saying it is minimal. Give me examples of
how it would be misused, and what you are doing to protect it, so
that you dont have that case.
Mr. FORD. I think one example comes in the use of the informa-
tion that we have. For example, what restrictions do we place on
who is able to receive that information? We, for example, have a
policy that we do not provide certain data to insurance companies.
We make sure that when a subscriber, or someone who uses our
data, we have policies and procedures in place that allow us to
check and make sure that the information we have provided is only
being used in accordance with the contract.
We have review authority for any of the copy or the direct mar-
keting materials that go out. So we are in a position to take a look
at what our customers are doing with the data that we provide.
Mr. STEARNS. You mentioned that you have undergone privacy
audits conducted by Dr. Westin?
Mr. FORD. Correct.
Mr. STEARNS. And can you explain how, how comprehensive are
these audits? And what standards do they meet? Is there a seal of
approval or best business practices-type of thing? And what is the
cost of such an audit?
Mr. FORD. Okay, that is a great question, I appreciate your ask-
ing it. Without sounding too flippant, we like to say at Equifax that
we were for privacy before privacy was cool. We engaged Dr. Alan
Westin in 1988 as a privacy consultant for us.
Since that time, he has helped us develop our privacy policies
and our procedures. And he has developed, with our input, too, a
template that we use, that we overlay for each product or service
before it goes out the door. And in fact, the template has evolved
to where it covers issues like notice, and choice, and access, and se-
curity, and the standard fair information practices that I think we
are all accustomed to.
So we have an internal process in our company that forces our
products and services to go through this review before it goes to the
marketplace.
Mr. STEARNS. And what does it cost, such an audit?
Mr. FORD. Alan Westin is on retainer, annual retainer to us. This
is part of his consulting assignment for us.
If I might add, too, sir, we also were one of the first companies
to qualify for and earn the Better Business Bureau Online Privacy
seal. So in terms of audit, in terms of consumers going to our web
siteI think the previous panel mentioned a visible way of gener-
ating trust and confidence at the site; having that seal up there is
one way to do that.
Mr. STEARNS. Okay. My time has expired. Mr. Towns?
Mr. TOWNS. Thank you very much, Mr. Chairman. I think all of
you, I think I hear you saying that self-regulation is the key to
your business growth and development. And I trust and do believe
84
that all of you are good actors and so on, in terms of you doing
things right.
Would your organizations support a bill which would create fi-
nancial penalties for companies who commit online fraud and
abuse? Go right down the line, starting with Ms. Barrett.
Ms. BARRETT. Okay. We believe that online fraud and abuse is
already illegal, and certainly would support any legislation that
strengthens those penalties.
Mr. TOWNS. Mr. Ford? I know you say that harm is minimal,
but
Mr. FORD. Well, I agree with Ms. Barrett that the fraud and de-
terrence act that was passed a couple of years ago was a bill that
Equifax supported. I think your larger question might be would we
support further legislation, and I dont mean to put the question
in my words. But it is not a perfect world, and I dont think there
is such a thing as perfect legislation. So our view, Equifaxs view,
is that we would like to see self-regulation be given a chance to run
its course. If it doesnt work, and there is an actual, demonstrated,
real harm, then lets focus on legislation that would address that
particular harm.
Mr. TOWNS. Yes, I was thinking that the bad actors that would
be punished, while still being held to some kind of minimum stand-
ards. I am a little concerned about not having one.
Mr. FORD. Again, sir, I would say that if responsible companies
do business with responsible companies, then those bad actors ulti-
mately are going to be weeded out of the marketplace.
Mr. TOWNS. Ms. Zuccarini?
Ms. ZUCCARINI. I would agree with Jennifer and John, that on-
line fraud, we believe, is already illegal, and prosecuting that
should definitely be encouraged.
With regard to additional legislation, we too believe that the
record is not yet clear whether there are unintended consequences
that might come from restricting further use of marketing informa-
tion, and what the impact might be, both on businesses and on con-
sumers, in terms of choice.
Mr. TOWNS. Well, you know, you are right, I mean, it is illegal.
But you know, but it is being done. And I am not sure how much
you said minimal, but I am not sure in terms of how much is
going on.
But let me ask this: how secure are your data bases? How cer-
tain are you that you can prevent unauthorized access?
Ms. ZUCCARINI. Question for me?
Mr. TOWNS. I am going down the line.
Ms. ZUCCARINI. Sure, I can take that. We have been responsible
stewards of consumer information for over 50 years. Making sure
consumer information is secure is mission-critical for Experian.
We have a variety of different security techniques that range
from our general security environment of being password-protected
with encrypted data transfer, to requiring IDs with security cam-
eras. We have automated system monitoring that indicates what
type of data is being accessed and when and by whom. We have
automated and manual systems that flag when sensitive data is
being accessed, and bring transactions to a halt until we can actu-
ally manually inspect that and approve it.
85
In addition to that, we have contractual requirements in our con-

tracts that state that the data must be used for marketing pur-
poses; that we have the right to inspect any communication associ-
ated with it. We have the right to audit, and we do business with
legitimate businesses.
Mr. FORD. I dont know that there is much I could add to that.
That covers the gamut for Equifax as well, in terms of the physical
security, in terms of the technological security, in terms ofmaybe
one thing I could add is lets remember that most of this data, even
if someone were to be able to get access to it, most of this data is
probability data. It is characteristics about a particular zip code or
geographic area, for example.
The data is not organized by name. So it is not as if there is an
Equifax direct marketing file for John Ford, and there is this little
pigeonhole, and all this data about me is in there. The file is not
organized that way.
Ms. BARRETT. I would concur with the comments from Mr. Ford
and Ms. Zuccarini. I might add that Acxiom also employs external
auditors, security auditors, to come in on a regular basis to test our
processes and our systems to make sure they are current with tech-
nology and the latest security updates.
Mr. TOWNS. Right. Is any opportunity provided for a person to
make a request, that I would like to come in and review, you know,
my files with you? Is it possible for that to happen?
Ms. BARRETT. We do not provide access to our marketing infor-
mation. Our systems are not designed in a way that you can go in
and look up information on one individual. If a consumer contacts
us and is interested about what information we have on them, we
tell them what types of information we might have in the data
base, and if they are uncomfortable with that, we offer them the
opportunity to opt out of that data base.
Mr. FORD. Again, Mr. Towns, the data base is not organized by
name and address. So it would take a programmer to go in and ob-
tain the personally identifiable data, name and address, and then
associate the characteristics that we ascribe to that person in some
kind of file. So yes, it can be done, but it is not a feasible process
at the moment.
Ms. ZUCCARINI. I would echo their comments. First of all, our
data is not in any single giant data base. It is in multiple places.
We have no mechanism as well to provide access. If a consumer
comes to us with questions about information we may have about
them, we also describe the type of information that we have and
offer them the opportunity to opt out.
Mr. TOWNS. Well, let me make sure I understand this. I mean,
this is a complicated issue.
Ms. ZUCCARINI. Yeah.
Mr. TOWNS. Okay. Im happy that Im not alone.
If you dont have it by individual, how can a person opt out?
Ms. BARRETT. The data is actually stored in large files that are
not accessible by individual record.
Mr. TOWNS. Then how can I opt out?
Ms. BARRETT. The files are updated and maintained on a batch
basis. And the ability to opt out occurs when maintenance trans-
86
actions are applied to those files. It is not a look-up type of service

that allows you to go retrieve the data on an individual.
Mr. FORD. If I can interject, I think maybe another way to look
at it is the outcome of the process by which a customer of ours ob-
tains data is a list of name and addresses. Before that list goes
anywhere, we run it up against any opt-out listour own, or
whether it is the Direct Marketing Associations listto take those
names out at the back end of the process. That is how people can
opt out.
Mr. TOWNS. I guess by now you know that there is a tremendous
amount of pressure from a lot of us, from our consumers, you know,
to really take a very serious look at this and do something. And
there are complaints; every time I have a town hall meeting, you
know, I always get one personand the funny thing about this is
that one person can tell a story and there comes a situation where
everybody wants to top it. And this goes on, and it gets bigger and
bigger.
So it is at the point where I really feel that Congress has to take
some kind of action. And I am happy that the chairman is moving
very slowly, because I wouldnt want to just jump and do some-
thing. We are hearing from a lot of folks; I think that is important.
But eventually, I really feel that we will have to take some kind
of action. And I dont want to do anything that is going to jeop-
ardize any companys ability to continue to grow and to expand.
But at the same time, we need to reassure our consumers, the cli-
ents out there, and our constituents, that there is this kind of pro-
tection in terms of privacy.
Every now and then things happen. I will give you an example.
I played at a golf course not too long ago. I mean, I dont even play
a lot of golf; I just signed up, went out there and banged away. And
now I am getting all this material. Now, I realize that it is from
playing at that golf course.
I dont want this material. I dont want anything. I dont want
to know anything about it, because I dont ever plan to go back
there again. So, you know, these are the kinds of things that when
you hear this, you know that these things are going on.
And I dont question for a moment the fact that you are doing
the right thing. But my problem is, is with those that are not doing
the right thing, and that I am not sure the penalties are great
enough, or strong enough, to really give the kind of protection that
we need to give.
And that is where I am coming from. I dont question anything
you have said today in reference to your companies. I do believe
you are doing the right thing. But you must know, too, there are
some folks out there that are not doing the right thing, and that
is our problem. That is our problem. And they make it bad for you
as well.
Mr. Chairman, on that note I yield.
Mr. STEARNS. Okay. We can go a second round. I just have some
illustrative points along where my colleague from New York
brought this discussion. Experian has, in Appendix B to their testi-
monyand I just want to list some of the things that they seek,
in terms of marketing data.
87
They go to public records, and they go to white page telephone

listings, to get information. And then they go to real estate infor-
mationyour home ownership, the type of home you have, the
characteristics. They go to voter recordsname, address, date of
birth. They go to occupational licenses, State professional licenses,
whether it be medical, attorney, cosmetology. Then they will go to
recreational license, to see if you have a fishing license or a hunt-
ing license.
Then, if they have back from you a card that you have filled
outperhaps you filled this card out because you want to get a
new car, or you want to get a free giftthey would have lifestyle
information. They would have, you know, things that you enjoy
whether it is sports, music, investing, hobbies, great outdoors,
world environment. And then it gets to your age, your marital sta-
tus, gender, home ownership, number of children. And they ask for
an estimated home income.
Now, you take all that information and you try and correlate it
with the census information, which doesnt have the name, but
does have a lot of information that you filled out. You can get a
pretty good picture of a person. Am I wrong? Is that true, that with
this kind of data base, that the Americans who are, I think, un-
aware of the kind of information that you would haveand you say
it is not for individual, but it is provided with a name with it.
Ms. ZUCCARINI. That is correct, it is. It is demographic, lifestyle,
and interest information. And the lifestyle and interest information
is either self-reported or public record data.
Mr. STEARNS. Now, lets say I want to get a copy of everything
you have on me. How would I do it?
Ms. ZUCCARINI. We wouldnt provide that to you, because we
have a policy of not providing data to individuals.
Mr. STEARNS. Okay. Yet you could sell that informationand I
am not being critical; I am just exploring this for whoever is inter-
ested. A non-profit organization could come to you and say, you
know, I want to buy this from you. You would sell it to a not-for-
profit organization, wouldnt you?
Ms. ZUCCARINI. We would sell a list.
Mr. STEARNS. A list?
Ms. ZUCCARINI. Of no less than 50. Our systems dont even re-
turn a list of under 50.
Mr. STEARNS. Okay. And so I would have to specify all these life-
style characteristics and the information in here to get the list? But
you would not provide individual names correlated with all this in-
formation?
Ms. ZUCCARINI. We would provide a list back to you that had a
list of people that satisfied your request for different lifestyle inter-
ests.
Lets say, if you were interested in selecting people that enjoy
cooking, because you have a cooking catalogue, you would get back
a list of individuals that enjoy cooking.
Mr. STEARNS. So I could come to you and say, okay, I want some-
body who is making between $50,000 and $100,000 who is inter-
ested in rhythm and blues music, who enjoys skiing, who has a
fishing license, and attends church, and also interested in gar-
88
dening, and is married with three children. You could come back
with a list?
Ms. ZUCCARINI. We could come back with a list, yes.
Mr. STEARNS. And you would give me names?
Ms. ZUCCARINI. We would. So you could send an advertising offer
to them. For marketing purposes.
Mr. STEARNS. Now, lets say a person is in your data base and
he or she wants to get out of that data base. How do they get out?
Ms. ZUCCARINI. A variety of different ways. We honor the Direct
Marketing Association mail preference service and telephone pref-
erence services and e-mail preference services, which are widely
publicized, which allow people to go directly to the DMAthey
dont even have to contact us.
We publicize, on our web site and with a toll-free phone number,
that you can call, if you would like to remove yourself from our
mailing list. In addition, we provide consumer advocate groups, leg-
islators, States attorney generals offices, a variety of different
groups, with an extensive consumer outreach program, where we
outline the steps that you can take to remove yourself from our
marketing information list.
Mr. STEARNS. Okay. What would be your worst nightmare? For
example, Ms. Barrett, your company makes most of its money deal-
ing with the management of these data bases. And I assume, cer-
tainly Experian is, youre owned by Europe, by a European com-
pany.
Ms. ZUCCARINI. We are owned by Great Universal Stores.
Mr. STEARNS. Yes, so you are over in Europe. Does that mean
you are complying with the European Internet privacy
Ms. ZUCCARINI. Our international operations are largely autono-
mous. We are compliant with the country laws in Europe. We have
not subscribed to safe harbor.
Mr. STEARNS. You have not subscribed?
Ms. ZUCCARINI. No, we have not.
Mr. STEARNS. But since you are a European Union company, I
would think you would have to comply.
Ms. ZUCCARINI. Our U.K. operations, our international oper-
ations. I am talking about Experian Marketing Solutions, the orga-
nization that I am representing today here in the U.S.
Mr. STEARNS. Oh, okay. Okay, I see that. So the worst nightmare
would be, Ms. Barrett, for your company, is if the Federal Govern-
ment came up with this Internet privacy legislation like the Euro-
pean Unions, so that your data bases would be affected, dont you
think?
Ms. BARRETT. Well, in that we operate in five countries in Eu-
rope as well as here in the United States, we appreciate the dif-
ferences between the European law and the U.S. law.
Mr. STEARNS. Right. I am just trying to help you out. You are
trying to tell us as legislators, please, Mr. Legislator, dont do this,
because this would harm us because we get most of our income
from the management of these data bases. So I am just trying to
understand from your point of view, as I try to understand for con-
sumer groupswhen they come in here, I ask them the same ques-
tion: what is the thing that concerns you most? What should I do
as a legislator, and Mr. Towns, and so on?
89
And so I am asking you, what would be your concern if we devel-

oped an Internet privacy bill that would, you know, do something
with the data bases that you manage?
Ms. BARRETT. If it restricted the flow of information for legiti-
mate businesses to use for marketing purposes, then not only
Acxiom but our customers, and ultimately the consumers, are going
to have serious economic impacts. A number of studies show the
variety of economic benefits and savings that our customers,
through the use of our data, get. An apparel study showed that
somewhere between 3 and 11 percent, if you restricted in the way
that the Europeans have, some of the data, the costs in the apparel
industry would go up between 3 and 6 percent. We view that really
as a means of taxing the consumer to pay for the lack of economic
benefit that we enjoy today.
Mr. STEARNS. Mr. Ford? Either one of the other panelists would
like to comment, what would be your worst nightmare?
Mr. FORD. I havent given it a great deal of thought. But in the
past minute, I would have to say that probably mandated opt-in
and I am speaking about off-line and online.
Mr. STEARNS. Now, there are a lot of people that want to do a
mandated opt-in. Particularly with financial and medical records.
Mr. FORD. Well, that is a different story, because in the direct
marketing business that we are talking about, we dont have finan-
cial records or medical records. We are only talking about the kind
of direct marketing information that we have. I think what you are
about ready to refer to is ailment data that is self-reported by the
consumer.
Mr. STEARNS. The problem is that people say, well, just financial
or medical information is sensitive. But if you take all this informa-
tion that I mentioned here, in terms of the lifestyle, and then you
combine that with public records and telephone directory informa-
tion, and then the census information that I can glean from your
neighborhood and where you live, you come up with some pretty
sensitive information about individuals. And maybe people want to
be able to opt in.
Mr. FORD. Well, I would ask that you remember, sir, that the
kind of information that is sensitive there is self-reported informa-
tion. It is not information that my company goes out and gleans
from someplace.
Mr. STEARNS. No, I understand.
Mr. FORD. So there is a built-inthere is a built-in opt-in, if I
am filling out
Mr. STEARNS. Because they volunteered?
Mr. FORD. Because they volunteered the information. And we
make it possible for them to opt out of what they have opted into.
They can come back later on and say, no, I want to take that back.
In fact, on our web site, which conducts this same kind of survey,
there is a double opt-in. They fill out the survey, they are asked
if they are comfortable with it, if they really want to send it. They
hit the button, yes, they do, we come back at them and say, Are
you sure? And then, each time we ask them to fill out the survey
again, they have the ability to unsubscribe.
So I submit that the sensitive information, such as it is, is volun-
tarily provided.
90
Mr. STEARNS. Anything you would like to add to that? What your
worst nightmare is?
Ms. ZUCCARINI. My worst nightmare? I have many nightmares,
but my worst one is mandated opt-in, because I think what we are
doing then is setting the default standard for the majority of the
population, whether we are looking at opt-in or opt-out. And if we
are looking at opt-in, then we believe that that default standard
will be not so much a sincere concern about protection of privacy,
but may be as a result of consumer inertia, people not wanting to
respond back affirmatively. And we are concerned about the poten-
tial unintended consequences, again, both economically and to con-
sumers in terms of less choice, higher prices, and less competition.
What you would start to look at in that case is an extreme chal-
lenge for a new market entrant or a small business to actually be
able to compete and advertise effectively.
Mr. STEARNS. Yes, Mr. Ford?
Mr. FORD. May I make one more comment about that, sir?
Mr. STEARNS. Sure.
Mr. FORD. I think that we are all in agreement that we want
consumers to have informed choice. And we do both; at Equifax, we
provide the ability for consumers to opt out of this data off-line,
and we provide online the ability to opt in.
But I think there are a number of national surveys who have
kind of segmented the American population into a group that is
called privacy fundamentalists, a group that is probably 20 percent
or so, maybe more, 20, 25 percent, at one end that are privacy fun-
damentalists. At the other end, you have the privacy unconcerned,
maybe 15 percent.
Mr. STEARNS. Libertarians.
Mr. FORD. And then in the middle, you have got this 55 percent
that are the pragmatic middle. So we need a system that satisfies
the needs of that full range of people who want to have different
choices.
By making opt-in the default mechanism, we satisfy probably the
privacy fundamentalists, and we disenfranchise the other two-
thirds who may want to see those offers. They may want to become
informed citizens by receiving these offers. So my argument is, lets
go with an opt-out mechanism. It still protects the fundamentalists
who want to not receive any more, and it offers the choice to the
other two-thirds.
Mr. STEARNS. Well, I thinkMr. Towns?
Mr. TOWNS. Yes. Well, you know, I want to go back to the bad
actors. You know, they are out there. What should we do about
them? Because what is going on now is really not working. It is not
that effective. So what do we do to sort of address that issue?
Other than pray?
Mr. FORD. That, too.
Ms. BARRETT. Mr. Towns, I think we haveif there is any area
for criticism, both of the government and of industry, is that we
have not done a good job of educating the consumer about not only
what their choices are, but how to watch out for bad actors.
There are many things that industry is working on in that re-
gard. I think individual companies need to take the initiative as
well. We have produced a booklet called What Every Consumer
91
Should Know About the Use of Personal Information. It is avail-

able on our web site. We would love to have it distributed by any-
one who wants to distribute it.
I think that we have an obligation and a responsibility to con-
sumers to tell them about not only the valuable uses of informa-
tion, but the tools and choices that they have at their hands, so
that those that do want to exercise them can.
Mr. TOWNS. The accuracy in your data base, do you feel com-
fortable with that? In terms of the accuracy, do you think it is very
accurate?
Ms. BARRETT. We strive very hard to make the data in our data
bases accurate. And in our interactions with consumers, we actu-
ally have consumers that contact us and have learned that it is in-
accurate, and give us corrected information. So we are always striv-
ing to keep the data accurate and current.
Mr. FORD. Perhaps a better word for us is, is the data base reli-
able? Is it predictive? Can our customers use it reliably to make
sure that they are sending the kind of offers to the kind of people
who are interested in receiving those offers? And I think our data
bases are highly reliable.
Ms. ZUCCARINI. We would concur with that as well. We put an
enormous amount of resources and effort against making sure that
the information is as accurate as we can make it, and making sure
as well that it is reliable, so that businesses, again, can try to de-
termine whether consumers are interested in receiving marketing
offers.
Mr. TOWNS. Mr. Ford and Ms. Zuccarini, I still want to get your
views and feelings on what we should do about these bad actors.
Ms. ZUCCARINI. Can I comment on that?
Mr. FORD. Go ahead.
Ms. ZUCCARINI. Yes, again, our first recommendation would be,
make sure that we are strictly enforcing the existing laws. There
are, I believe, eight laws at least that currently govern the type of
marketing information that we are discussing today. In addition to
that, we have very strict self-regulatory guidelines through our
trade organizations, and our clients are members of those. And to
make sure that we are doing that, and really step up the enforce-
ment.
The second thing would be to echo what Ms. Barrett said with
regard to consumer education. We need to do a better job of making
sure consumers understand how to recognize bad actors, and how
they can contribute to making sure that they are no longer in busi-
ness.
Mr. FORD. I look at it as a three-pronged initiative, or three sets
of responsibilities. Business has a responsibility to educate con-
sumers about the products and the services, and the technologies
that are out there that they can use to help them protect their pri-
vacy.
Government has a responsibility in two ways. No. 1, to enforce
the laws that have already been enacted. And No. 2, I think that
on the political side, that peeling this onion, which this series of
hearings is really trying to do, to understand the complexities of
this issue, is very, very important to making good public policy.
And that is what you are doing, and I very much appreciate that.
92
On the consumer side, though, they have an obligation and a re-

sponsibility, I think, as well, to make themselves informed con-
sumers; to take advantage of the information that is out there, the
products, the technologies.
And there is also something known as the teachable moment: to
send out some educational material to a consumer who is not at a
teachable moment is not very effective. So finding those opportuni-
ties when consumers are, if not eager, at least willing to learn
more, is a task that business must set itself, too.
Mr. TOWNS. Thank you very much. Thank you, Mr. Chairman.
Mr. STEARNS. I thank my colleague. We will complete the second
panel. We want to thank you, again, for waiting for us. We had a
very good hearing, and I think, as you pointed out, that we are
moving incrementally to try to understand this very broad and sig-
nificant and comprehensive area. And we thank you again for testi-
fying.
And the subcommittee is adjourned.
[Whereupon, at 12:55 p.m., the subcommittee was adjourned.]

House Hearing, 107TH Congress - ''How Do Businesses Use Customer Information: Is The Customer's Privacy Protected?''

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

House Hearing, 107TH Congress - ''How Do Businesses Use Customer Information: Is The Customer's Privacy Protected?''

Загружено:

Авторское право:

Доступные форматы

HOW DO BUSINESSES USE CUSTOMER INFORMA-

TION: IS THE CUSTOMERS PRIVACY PRO-

COMMITTEE ON ENERGY AND

JULY 26, 2001

Serial No. 10749

Printed for the use of the Committee on Energy and Commerce

U.S. GOVERNMENT PRINTING OFFICE

For sale by the Superintendent of Documents, U.S. Government Printing Office

SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION

THURSDAY, JULY 26, 2001

U.S. HOUSE OF REPRESENTATIVES,

privacy. So I recommendI commend all of them for their partici-

PREPARED STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN CONGRESS

PREPARED STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN CONGRESS

letter, prioritize telephone handling with a special toll-free number,

cietal expectations for privacy with the objective of enhancing our

Again, we appreciate the opportunity to be here today to discuss GMs approach

new products not yet available in stores. This increases satisfaction

personal information is good for business; and sharing personal in-

In conclusion, we believe that understanding consumer needs, delivering con-

portant to us. Indeed, as Amazon.com strives to be the Earths

and security? The reason is simple: privacy is important to our cus-

STATEMENT OF DAVID A. JOHNSON

fered products and services that respond to their demonstrated

[The prepared statement of David A. Johnson follows:]

1 Customer Service by Fred Wiersema (Harper-Collins Publishers, Inc. 1998).

2 Customer Service at xiv-xviii.

many years. And we just recently have elected to streamline many

Mr. STEARNS. Basic for Federal legislation?

If a privacy policy is announced by a company, and then not fol-

Ms. PEARSON. I get to start. From IBMs point of view, it is the

Mr. JOHNSON. Mr. Tauzin, we believe that there is not a reason

Ms. HOURIGAN. I would agree with Ms. Pearsons statements,

Commission to encourage that kind of activity, I think would be ap-

The other thing I would mention is the introduction of the plat-

ity and movement in that area, to create Federal-level protections.

This is where we have developed our policies. This is where we

Mr. WALDEN. Okay, that would be helpful. Thank you.

And honestly, what I have found as I have gotten into privacy,

Ms. HOURIGAN. I dont think there is any specific part that we

Mr. MISENER. Well, I am not sure we are worried, actually, Mr.

I think, you know, some of the software that is being developed

made to go after those specific types of information, as opposed to

sponsibly providing innovative data management services to a

piled list products provide access to likely new consumers who

Chairman Stearns, Ranking Member Towns, and members of the Subcommittee,

Acxioms information products help fill an important gap in todays business to

RESPECTING CONSUMER PRIVACY

Acxiom has a long-standing tradition and engrained culture of respecting con-

STATEMENT OF JOHN A. FORD

I want to emphasize that our consumer reporting data base is en-

data base based on a name. Data collection or exchange, rather, is

Experian is one of the worlds leading information solutions companies. Primarily

Because of the information services provided by Experian and its counterparts,

Why marketing information is important to businesses

Experian is a data aggregator. Our company collects and maintains information

Appendix AExperian History

Mr. STEARNS. Thank you. Ms. Zuccarini, I have a question. You

Mr. STEARNS. Yes. What other organizations would have access

misused, or how do you go to protect so that the marketing infor-

In addition to that, we have contractual requirements in our con-

actions are applied to those files. It is not a look-up type of service

They go to public records, and they go to white page telephone